Cloudflared Tunnels Related DNS Requests

Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Sigma rule (View on GitHub)

 1title: Cloudflared Tunnels Related DNS Requests
 2id: a1d9eec5-33b2-4177-8d24-27fe754d0812
 3related:
 4    - id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
 5      type: similar
 6status: experimental
 7description: |
 8    Detects DNS requests to Cloudflared tunnels domains.
 9    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.    
10references:
11    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
12    - Internal Research
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-12-20
15tags:
16    - attack.command-and-control
17    - attack.t1071.001
18logsource:
19    category: dns_query
20    product: windows
21detection:
22    selection:
23        QueryName|endswith:
24            - '.v2.argotunnel.com'
25            - 'protocol-v2.argotunnel.com'
26            - 'trycloudflare.com'
27            - 'update.argotunnel.com'
28    condition: selection
29falsepositives:
30    - Legitimate use of cloudflare tunnels will also trigger this.
31level: medium

References

Related rules

to-top