Cloudflared Portable Execution

 1title: Cloudflared Portable Execution
 2id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd
 3status: test
 4description: |
 5        Detects the execution of the "cloudflared" binary from a non standard location.
 6references:
 7    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
 8    - https://github.com/cloudflare/cloudflared
 9    - https://www.intrinsec.com/akira_ransomware/
10    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
11    - https://github.com/cloudflare/cloudflared/releases
12author: Nasreddine Bencherchali (Nextron Systems)
13tags:
14    - attack.command-and-control
15    - attack.t1090.001
16date: 2023-12-20
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\cloudflared.exe'
23    filter_main_admin_location:
24        Image|contains:
25            - ':\Program Files (x86)\cloudflared\'
26            - ':\Program Files\cloudflared\'
27    condition: selection and not 1 of filter_main_*
28falsepositives:
29    - Legitimate usage of Cloudflared portable versions
30level: medium

References

• Quick Tunnels | Cloudflare Zero Trust docs

  Developers can use the TryCloudflare tool to experiment with Cloudflare Tunnel without adding a site to Cloudflare's DNS. TryCloudflare will launch a process that generates a random subdomain on trycloudflare.com. Requests to that subdomain will be proxied through the Cloudflare network to your web server running on localhost.

  
  Read More

• GitHub - cloudflare/cloudflared: Cloudflare Tunnel client (formerly Argo Tunnel)

  

  Cloudflare Tunnel client (formerly Argo Tunnel). Contribute to cloudflare/cloudflared development by creating an account on GitHub.

  
  Read More

• Aki-RATs - Command and Control Party

  Discover CERT Intrinsec's insights on Akira ransomware's three-phase attack strategy, from network infiltration to data encryption

  
  Read More

• Tunnel Vision: CloudflareD AbuseD in the WilD

  

  Senior Threat Intelligence Consultant Nic Finn details the ways Cloudflare Tunnel can be utilized by threat actors to gain access to an environment.

  
  Read More

• Releases · cloudflare/cloudflared

  

  Cloudflare Tunnel client (formerly Argo Tunnel). Contribute to cloudflare/cloudflared development by creating an account on GitHub.

  
  Read More

Related rules

• Cloudflared Quick Tunnel Execution
• Renamed Cloudflared.EXE Execution
• HackTool - SharpChisel Execution
• PUA - Chisel Tunneling Tool Execution
• RDP over Reverse SSH Tunnel WFP