Network Connection Initiated To Cloudflared Tunnels Domains
Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Sigma rule (View on GitHub)
1title: Network Connection Initiated To Cloudflared Tunnels Domains
2id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
3related:
4 - id: a1d9eec5-33b2-4177-8d24-27fe754d0812
5 type: derived
6status: test
7description: |
8 Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
9 Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
10references:
11 - https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/
12 - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
13 - Internal Research
14author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
15date: 2024-05-27
16tags:
17 - attack.exfiltration
18 - attack.command-and-control
19 - attack.t1567
20 - attack.t1572
21logsource:
22 category: network_connection
23 product: windows
24detection:
25 selection:
26 Initiated: 'true'
27 DestinationHostname|endswith:
28 - '.v2.argotunnel.com'
29 - 'protocol-v2.argotunnel.com'
30 - 'trycloudflare.com'
31 - 'update.argotunnel.com'
32 condition: selection
33falsepositives:
34 - Legitimate use of cloudflare tunnels will also trigger this.
35level: medium
References
-
Senior Threat Intelligence Consultant Nic Finn details the ways Cloudflare Tunnel can be utilized by threat actors to gain access to an environment.
Read More
Related rules
- Process Initiated Network Connection To Ngrok Domain
- Communication To Ngrok Tunneling Service - Linux
- Communication To Ngrok Tunneling Service Initiated
- Network Connection Initiated To DevTunnels Domain
- Suspicious Non-Browser Network Communication With Telegram API