Potential Protocol Tunneling via Cloudflared

 1[metadata]
 2creation_date = "2026/03/18"
 3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
 4maturity = "production"
 5updated_date = "2026/03/18"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the use of Cloudflare Tunnel (cloudflared) to expose a local service or create an outbound tunnel. Adversaries
11may abuse quick tunnels (e.g. tunnel --url http://127.0.0.1:80) or named tunnels to proxy C2 traffic or exfiltrate data
12through Cloudflare's edge while evading direct connection blocking.
13"""
14from = "now-9m"
15index = [
16    "endgame-*",
17    "logs-crowdstrike.fdr*",
18    "logs-endpoint.events.process-*",
19    "logs-m365_defender.event-*",
20    "logs-sentinel_one_cloud_funnel.*",
21    "logs-system.security*",
22    "logs-windows.sysmon_operational-*",
23    "winlogbeat-*",
24]
25language = "eql"
26license = "Elastic License v2"
27name = "Potential Protocol Tunneling via Cloudflared"
28note = """## Triage and analysis
29
30### Investigating Potential Protocol Tunneling via Cloudflared
31
32Cloudflare Tunnel (cloudflared) is a legitimate tool for exposing local services through Cloudflare's edge. Adversaries abuse it to create quick or named tunnels for C2, data exfiltration, or ingress tool transfer while evading direct connection blocking.
33
34### Possible investigation steps
35
36- Confirm the process command line for `tunnel`, `--url`, or `tunnel run` to validate cloudflared tunnel usage.
37- Identify the parent process and process executable path; cloudflared run from temp or user writable locations is more suspicious than from Program Files.
38- For quick tunnel (`--url http://...`), identify the local URL and whether it could be a C2 callback or proxy.
39- Correlate with network data for outbound connections to Cloudflare IPs or trycloudflare.com-style hostnames around the same time.
40- Review the user and session that started the tunnel; look for other suspicious logon or execution from the same context.
41
42### False positive analysis
43
44- Legitimate use of Cloudflare Tunnel for development or internal services may trigger this rule; consider allowlisting by path or user for approved use cases.
45
46### Response and remediation
47
48- If unauthorized tunnel use is confirmed: isolate the host, terminate the cloudflared process, and block cloudflared or Cloudflare tunnel domains at DNS/firewall where policy permits.
49- Rotate credentials for any accounts that may have been exposed over the tunnel.
50"""
51references = [
52    "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-commands/",
53    "https://attack.mitre.org/techniques/T1572/",
54]
55risk_score = 47
56rule_id = "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f"
57severity = "medium"
58tags = [
59    "Domain: Endpoint",
60    "OS: Windows",
61    "Use Case: Threat Detection",
62    "Tactic: Command and Control",
63    "Resources: Investigation Guide",
64    "Data Source: Elastic Defend",
65    "Data Source: Sysmon",
66    "Data Source: SentinelOne",
67    "Data Source: Microsoft Defender for Endpoint",
68    "Data Source: Crowdstrike",
69    "Data Source: Elastic Endgame", 
70    "Data Source: Windows Security Event Logs"
71]
72timestamp_override = "event.ingested"
73type = "eql"
74
75query = '''
76process where host.os.type == "windows" and event.type == "start" and
77 (process.name : "cloudflared.exe" or ?process.pe.original_file_name == "cloudflared.exe" or ?process.code_signature.subject_name : "Cloudflare, Inc.") and process.args : "tunnel"
78'''
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1572"
85name = "Protocol Tunneling"
86reference = "https://attack.mitre.org/techniques/T1572/"
87
88[rule.threat.tactic]
89id = "TA0011"
90name = "Command and Control"
91reference = "https://attack.mitre.org/tactics/TA0011/"