Network Connection Initiated To Cloudflared Tunnels Domains

Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Sigma rule (View on GitHub)

 1title: Network Connection Initiated To Cloudflared Tunnels Domains
 2id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
 3related:
 4    - id: a1d9eec5-33b2-4177-8d24-27fe754d0812
 5      type: derived
 6status: experimental
 7description: |
 8    Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
 9    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.    
10references:
11    - https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/
12    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
13    - Internal Research
14author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
15date: 2024-05-27
16tags:
17    - attack.exfiltration
18    - attack.command-and-control
19    - attack.t1567.001
20logsource:
21    category: network_connection
22    product: windows
23detection:
24    selection:
25        Initiated: 'true'
26        DestinationHostname|endswith:
27            - '.v2.argotunnel.com'
28            - 'protocol-v2.argotunnel.com'
29            - 'trycloudflare.com'
30            - 'update.argotunnel.com'
31    condition: selection
32falsepositives:
33    - Legitimate use of cloudflare tunnels will also trigger this.
34level: medium

References

Related rules

to-top