Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.[1] |
Enterprise | T1567 | Exfiltration Over Web Service |
ngrok has been used by threat actors to configure servers for data exfiltration.[5] |
|
Enterprise | T1572 | Protocol Tunneling |
ngrok can tunnel RDP and other services securely over internet connections.[2][3][5][6] |
|
Enterprise | T1090 | Proxy |
ngrok can be used to proxy connections to machines located behind NAT or firewalls.[5][1] |
|
Enterprise | T1102 | Web Service |
ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.[1] |
ID | Name | References |
---|---|---|
G1003 | Ember Bear |
Ember Bear used ngrok during intrusions against Ukrainian victims.[7] |
G1015 | Scattered Spider |
Scattered Spider has used ngrok to create secure tunnels to remote web servers.[8] |
G0140 | LazyScripter | |
G0117 | Fox Kitten |