Cloudflared Tunnels Related DNS Requests
Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Sigma rule (View on GitHub)
1title: Cloudflared Tunnels Related DNS Requests
2id: a1d9eec5-33b2-4177-8d24-27fe754d0812
3related:
4 - id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
5 type: similar
6status: experimental
7description: |
8 Detects DNS requests to Cloudflared tunnels domains.
9 Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
10references:
11 - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
12 - Internal Research
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-12-20
15tags:
16 - attack.command-and-control
17 - attack.t1071.001
18logsource:
19 category: dns_query
20 product: windows
21detection:
22 selection:
23 QueryName|endswith:
24 - '.v2.argotunnel.com'
25 - 'protocol-v2.argotunnel.com'
26 - 'trycloudflare.com'
27 - 'update.argotunnel.com'
28 condition: selection
29falsepositives:
30 - Legitimate use of cloudflare tunnels will also trigger this.
31level: medium
References
Related rules
- APT User Agent
- APT40 Dropbox Tool User Agent
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- Chafer Malware URL Pattern