LoFP / legitimate use of the ngrok service.

Techniques

• t1090
• t1102
• t1567
• t1567.001
• t1568
• t1568.002
• t1572

Sample rules

Communication To Ngrok Tunneling Service Initiated

• source: sigma
• technicques:
  • t1090
  • t1102
  • t1567
  • t1568
  • t1568.002
  • t1572

Description

Detects an executable initiating a network connection to “ngrok” tunneling domains. Attackers were seen using this “ngrok” in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Detection logic

condition: selection
selection:
  DestinationHostname|contains:
  - tunnel.us.ngrok.com
  - tunnel.eu.ngrok.com
  - tunnel.ap.ngrok.com
  - tunnel.au.ngrok.com
  - tunnel.sa.ngrok.com
  - tunnel.jp.ngrok.com
  - tunnel.in.ngrok.com

Process Initiated Network Connection To Ngrok Domain

• source: sigma
• technicques:
  • t1567
  • t1567.001

Description

Detects an executable initiating a network connection to “ngrok” domains. Attackers were seen using this “ngrok” in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Detection logic

condition: selection
selection:
  DestinationHostname|endswith:
  - .ngrok-free.app
  - .ngrok-free.dev
  - .ngrok.app
  - .ngrok.dev
  - .ngrok.io
  Initiated: 'true'