Sigma rules · ngrok · threatengine.sh

Sigma

Sigma rules for ngrok

5 rules · scoped to tool · back to ngrok

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

5 of 5

direct high

Communication To Ngrok Tunneling Service - Linux

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

status test author Florian Roth (Nextron Systems) id 19bf6fdb-7721-4f3d-867f-53467f6a5db6 license Sigma · DRL-1.1

view Sigma YAML

title: Communication To Ngrok Tunneling Service - Linux
id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
status: test
description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
references:
    - https://twitter.com/hakluke/status/1587733971814977537/photo/1
    - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1568.002
    - attack.t1572
    - attack.t1090
    - attack.t1102
    - attack.s0508
logsource:
    product: linux
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'tunnel.us.ngrok.com'
            - 'tunnel.eu.ngrok.com'
            - 'tunnel.ap.ngrok.com'
            - 'tunnel.au.ngrok.com'
            - 'tunnel.sa.ngrok.com'
            - 'tunnel.jp.ngrok.com'
            - 'tunnel.in.ngrok.com'
    condition: selection
falsepositives:
    - Legitimate use of ngrok
level: high

direct high

Communication To Ngrok Tunneling Service Initiated

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

status test author Florian Roth (Nextron Systems) id 1d08ac94-400d-4469-a82f-daee9a908849 license Sigma · DRL-1.1

view Sigma YAML

title: Communication To Ngrok Tunneling Service Initiated
id: 1d08ac94-400d-4469-a82f-daee9a908849
related:
    - id: 18249279-932f-45e2-b37a-8925f2597670
      type: similar
status: test
description: |
    Detects an executable initiating a network connection to "ngrok" tunneling domains.
    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
    - https://twitter.com/hakluke/status/1587733971814977537/photo/1
    - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
modified: 2024-02-02
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1568.002
    - attack.t1572
    - attack.t1090
    - attack.t1102
    - attack.s0508
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'tunnel.us.ngrok.com'
            - 'tunnel.eu.ngrok.com'
            - 'tunnel.ap.ngrok.com'
            - 'tunnel.au.ngrok.com'
            - 'tunnel.sa.ngrok.com'
            - 'tunnel.jp.ngrok.com'
            - 'tunnel.in.ngrok.com'
    condition: selection
falsepositives:
    - Legitimate use of the ngrok service.
level: high

direct high

Process Initiated Network Connection To Ngrok Domain

Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

status test author Florian Roth (Nextron Systems) id 18249279-932f-45e2-b37a-8925f2597670 license Sigma · DRL-1.1

view Sigma YAML

title: Process Initiated Network Connection To Ngrok Domain
id: 18249279-932f-45e2-b37a-8925f2597670
related:
    - id: 1d08ac94-400d-4469-a82f-daee9a908849
      type: similar
status: test
description: |
    Detects an executable initiating a network connection to "ngrok" domains.
    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
    - https://ngrok.com/
    - https://ngrok.com/blog-post/new-ngrok-domains
    - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
    - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
author: Florian Roth (Nextron Systems)
date: 2022-07-16
modified: 2025-07-30
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
    - attack.t1102
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - '.ngrok-free.app'
            - '.ngrok-free.dev'
            - '.ngrok.app'
            - '.ngrok.dev'
            - '.ngrok.io'
    condition: selection
falsepositives:
    - Legitimate use of the ngrok service.
# Note: The level of this rule is related to your internal policy.
level: high

direct high

PUA - Ngrok Execution

Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.

status test author Florian Roth (Nextron Systems) id ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 license Sigma · DRL-1.1

view Sigma YAML

title: PUA - Ngrok Execution
id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
status: test
description: |
  Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.
  Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
references:
    - https://ngrok.com/docs
    - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
    - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp
    - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection
    - https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/
    - https://twitter.com/xorJosh/status/1598646907802451969
    - https://www.softwaretestinghelp.com/how-to-use-ngrok/
author: Florian Roth (Nextron Systems)
date: 2021-05-14
modified: 2023-02-21
tags:
    - attack.command-and-control
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains:
            - ' tcp 139'
            - ' tcp 445'
            - ' tcp 3389'
            - ' tcp 5985'
            - ' tcp 5986'
    selection2:
        CommandLine|contains|all:
            - ' start '
            - '--all'
            - '--config'
            - '.yml'
    selection3:
        Image|endswith: 'ngrok.exe'
        CommandLine|contains:
            - ' tcp '
            - ' http '
            - ' authtoken '
    selection4:
        CommandLine|contains:
            - '.exe authtoken '
            - '.exe start --all'
    condition: 1 of selection*
falsepositives:
    - Another tool that uses the command line switches of Ngrok
    - Ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
level: high

direct high

Ngrok Usage with Remote Desktop Service

Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

status test author Florian Roth (Nextron Systems) id 64d51a51-32a6-49f0-9f3d-17e34d640272 license Sigma · DRL-1.1

view Sigma YAML

title: Ngrok Usage with Remote Desktop Service
id: 64d51a51-32a6-49f0-9f3d-17e34d640272
status: test
description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
references:
    - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
    - https://ngrok.com/
author: Florian Roth (Nextron Systems)
date: 2022-04-29
tags:
    - attack.command-and-control
    - attack.t1090
logsource:
    product: windows
    service: terminalservices-localsessionmanager
detection:
    selection:
        EventID: 21
        Address|contains: '16777216'
    condition: selection
falsepositives:
    - Unknown
level: high

Showing 1-5 of 5

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin