Potential Protocol Tunneling via Cloudflared

  1[metadata]
  2creation_date = "2026/03/18"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the use of Cloudflare Tunnel (cloudflared) to expose a local service or create an outbound tunnel. Adversaries
 11may abuse quick tunnels (e.g. tunnel --url http://127.0.0.1:80) or named tunnels to proxy C2 traffic or exfiltrate data
 12through Cloudflare's edge while evading direct connection blocking.
 13"""
 14from = "now-9m"
 15index = [
 16    "endgame-*",
 17    "logs-crowdstrike.fdr*",
 18    "logs-endpoint.events.process-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-system.security*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Potential Protocol Tunneling via Cloudflared"
 28note = """## Triage and analysis
 29
 30### Investigating Potential Protocol Tunneling via Cloudflared
 31
 32Cloudflare Tunnel (cloudflared) is a legitimate tool for exposing local services through Cloudflare's edge. Adversaries abuse it to create quick or named tunnels for C2, data exfiltration, or ingress tool transfer while evading direct connection blocking.
 33
 34### Possible investigation steps
 35
 36- Confirm the process command line for `tunnel`, `--url`, or `tunnel run` to validate cloudflared tunnel usage.
 37- Identify the parent process and process executable path; cloudflared run from temp or user writable locations is more suspicious than from Program Files.
 38- For quick tunnel (`--url http://...`), identify the local URL and whether it could be a C2 callback or proxy.
 39- Correlate with network data for outbound connections to Cloudflare IPs or trycloudflare.com-style hostnames around the same time.
 40- Review the user and session that started the tunnel; look for other suspicious logon or execution from the same context.
 41
 42### False positive analysis
 43
 44- Legitimate use of Cloudflare Tunnel for development or internal services may trigger this rule; consider allowlisting by path or user for approved use cases.
 45
 46### Response and remediation
 47
 48- If unauthorized tunnel use is confirmed: isolate the host, terminate the cloudflared process, and block cloudflared or Cloudflare tunnel domains at DNS/firewall where policy permits.
 49- Rotate credentials for any accounts that may have been exposed over the tunnel.
 50"""
 51
 52setup = """## Setup
 53
 54This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 55
 56Setup instructions: https://ela.st/install-elastic-defend
 57
 58### Additional data sources
 59
 60This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 61
 62- [CrowdStrike](https://ela.st/crowdstrike-integration)
 63- [Microsoft Defender XDR](https://ela.st/m365-defender)
 64- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
 65- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
 66- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
 67"""
 68
 69references = [
 70    "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-commands/",
 71    "https://attack.mitre.org/techniques/T1572/",
 72]
 73risk_score = 47
 74rule_id = "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f"
 75severity = "medium"
 76tags = [
 77    "Domain: Endpoint",
 78    "OS: Windows",
 79    "Use Case: Threat Detection",
 80    "Tactic: Command and Control",
 81    "Resources: Investigation Guide",
 82    "Data Source: Elastic Defend",
 83    "Data Source: Sysmon",
 84    "Data Source: SentinelOne",
 85    "Data Source: Microsoft Defender XDR",
 86    "Data Source: Crowdstrike",
 87    "Data Source: Elastic Endgame", 
 88    "Data Source: Windows Security Event Logs"
 89]
 90timestamp_override = "event.ingested"
 91type = "eql"
 92
 93query = '''
 94process where host.os.type == "windows" and event.type == "start" and
 95 (process.name : "cloudflared.exe" or ?process.pe.original_file_name == "cloudflared.exe" or ?process.code_signature.subject_name : "Cloudflare, Inc.") and process.args : "tunnel"
 96'''
 97
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102[[rule.threat.technique]]
103id = "T1090"
104name = "Proxy"
105reference = "https://attack.mitre.org/techniques/T1090/"
106
107[[rule.threat.technique.subtechnique]]
108id = "T1090.002"
109name = "External Proxy"
110reference = "https://attack.mitre.org/techniques/T1090/002/"
111
112[[rule.threat.technique]]
113id = "T1572"
114name = "Protocol Tunneling"
115reference = "https://attack.mitre.org/techniques/T1572/"
116
117[rule.threat.tactic]
118id = "TA0011"
119name = "Command and Control"
120reference = "https://attack.mitre.org/tactics/TA0011/"