Cloudflared Tunnels Related DNS Requests
Detects DNS query requests to Cloudflared tunnels domains.
Sigma rule (View on GitHub)
1title: Cloudflared Tunnels Related DNS Requests
2id: a1d9eec5-33b2-4177-8d24-27fe754d0812
3status: experimental
4description: Detects DNS query requests to Cloudflared tunnels domains.
5references:
6 - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
7 - Internal Research
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/12/20
10tags:
11 - attack.command_and_control
12 - attack.t1071.001
13logsource:
14 category: dns_query
15 product: windows
16detection:
17 selection:
18 QueryName|endswith:
19 - '.v2.argotunnel.com'
20 - 'protocol-v2.argotunnel.com'
21 - 'trycloudflare.com'
22 - 'update.argotunnel.com'
23 condition: selection
24falsepositives:
25 - Legitimate use of cloudflare tunnels will also trigger this.
26level: medium
References
Related rules
- DNS Query To Devtunnels Domain
- DNS Query To Visual Studio Code Tunnels Domain
- Change User Agents with WebRequest
- Renamed Visual Studio Code Tunnel Execution
- Visual Studio Code Tunnel Execution