Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849)

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849)	Sigma-Rules	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	1
Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849)	Sigma-Rules	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	1
Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849)	Sigma-Rules	Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	1
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849)	Sigma-Rules	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849)	Sigma-Rules	1
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	2