Network Connection Initiated To Cloudflared Tunnels Domains
Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Sigma rule (View on GitHub)
1title: Network Connection Initiated To Cloudflared Tunnels Domains
2id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
3related:
4 - id: a1d9eec5-33b2-4177-8d24-27fe754d0812
5 type: derived
6status: experimental
7description: |
8 Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
9 Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
10references:
11 - https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/
12 - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
13 - Internal Research
14author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
15date: 2024/05/27
16tags:
17 - attack.exfiltration
18 - attack.command_and_control
19 - attack.t1567.001
20logsource:
21 category: network_connection
22 product: windows
23detection:
24 selection:
25 Initiated: 'true'
26 DestinationHostname|endswith:
27 - '.v2.argotunnel.com'
28 - 'protocol-v2.argotunnel.com'
29 - 'trycloudflare.com'
30 - 'update.argotunnel.com'
31 condition: selection
32falsepositives:
33 - Legitimate use of cloudflare tunnels will also trigger this.
34level: medium
References
-
Senior Threat Intelligence Consultant Nic Finn details the ways Cloudflare Tunnel can be utilized by threat actors to gain access to an environment.
Read More
Related rules
- Network Communication Initiated To Portmap.IO Domain
- Network Connection Initiated To DevTunnels Domain
- Network Connection Initiated To Mega.nz
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- APT40 Dropbox Tool User Agent