Cloudflared Tunnels Related DNS Requests
Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Sigma rule (View on GitHub)
1title: Cloudflared Tunnels Related DNS Requests
2id: a1d9eec5-33b2-4177-8d24-27fe754d0812
3related:
4 - id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
5 type: similar
6status: test
7description: |
8 Detects DNS requests to Cloudflared tunnels domains.
9 Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
10references:
11 - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
12 - Internal Research
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-12-20
15tags:
16 - attack.command-and-control
17 - attack.t1071.001
18 - attack.t1572
19logsource:
20 category: dns_query
21 product: windows
22detection:
23 selection:
24 QueryName|endswith:
25 - '.v2.argotunnel.com'
26 - 'protocol-v2.argotunnel.com'
27 - 'trycloudflare.com'
28 - 'update.argotunnel.com'
29 condition: selection
30falsepositives:
31 - Legitimate use of cloudflare tunnels will also trigger this.
32level: medium
References
-
Senior Threat Intelligence Consultant Nic Finn details the ways Cloudflare Tunnel can be utilized by threat actors to gain access to an environment.
Read More
Related rules
- DNS Query To Devtunnels Domain
- Network Connection Initiated To BTunnels Domains
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Network Connection Initiated To Cloudflared Tunnels Domains
- Process Initiated Network Connection To Ngrok Domain