heroui logo

Process Initiated Network Connection To Ngrok Domain

Sigma Rules

View Source
Summary
This detection rule identifies instances where executables on Windows systems initiate network connections to domains associated with 'ngrok'. 'Ngrok' services are often utilized by malicious actors to transport second-stage payloads, run malware, or facilitate data exfiltration securely, masked as legitimate HTTP traffic. Although some connections to 'ngrok' domains can be legitimate—such as for lawful tunneling services—such behavior can be indicative of adversarial actions if detected in unusual contexts. The rule leverages the destination hostnames that end with '.ngrok-free.app', '.ngrok-free.dev', '.ngrok.app', '.ngrok.dev', and '.ngrok.io' to flag potential malicious activities and has been set with a high alert level due to the associated risks. The rule could yield false positives, particularly due to legitimate usage of 'ngrok', and should therefore be evaluated within the broader context of network behavior for accurate assessment.
Categories
  • Network
  • Endpoint
  • Windows
Data Sources
  • Process
  • Network Traffic
Created: 2022-07-16