Skip to content

Hide Navigation Hide TOC

Process Initiated Network Connection To Ngrok Domain (18249279-932f-45e2-b37a-8925f2597670)

Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Cluster A Galaxy A Cluster B Galaxy B Level
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern Process Initiated Network Connection To Ngrok Domain (18249279-932f-45e2-b37a-8925f2597670) Sigma-Rules 1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern 2