Cloudflared Tunnels Related DNS Requests

May 27, 2024 · attack.command_and_control attack.t1071.001 ·

Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Sigma rule (View on GitHub)

 1title: Cloudflared Tunnels Related DNS Requests
 2id: a1d9eec5-33b2-4177-8d24-27fe754d0812
 3related:
 4    - id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
 5      type: similar
 6status: experimental
 7description: |
 8    Detects DNS requests to Cloudflared tunnels domains.
 9    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.    
10references:
11    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
12    - Internal Research
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023/12/20
15tags:
16    - attack.command_and_control
17    - attack.t1071.001
18logsource:
19    category: dns_query
20    product: windows
21detection:
22    selection:
23        QueryName|endswith:
24            - '.v2.argotunnel.com'
25            - 'protocol-v2.argotunnel.com'
26            - 'trycloudflare.com'
27            - 'update.argotunnel.com'
28    condition: selection
29falsepositives:
30    - Legitimate use of cloudflare tunnels will also trigger this.
31level: medium

References

Tunnel Vision: CloudflareD AbuseD in the WilD

Senior Threat Intelligence Consultant Nic Finn details the ways Cloudflare Tunnel can be utilized by threat actors to gain access to an environment.

Read More
Internal Research

Read More

Cloudflared Tunnels Related DNS Requests

Sigma rule (View on GitHub)

References

Tunnel Vision: CloudflareD AbuseD in the WilD

Internal Research

Related rules