Skip to content

<<< Hide Navigation Hide TOC >>>

Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849)

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Galaxy ColorsAttack Pat...Sigma-Rule...
Rows: 6
Loading extensions...
Collapse filters
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.2

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Cluster A Galaxy A Cluster B Galaxy B Level
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849) Sigma-Rules 1
Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849) Sigma-Rules Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849) Sigma-Rules 1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849) Sigma-Rules 1
Communication To Ngrok Tunneling Service Initiated (1d08ac94-400d-4469-a82f-daee9a908849) Sigma-Rules Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern 1
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern 2