Cloudflared Portable Execution

calendar Dec 21, 2023 · attack.command_and_control attack.t1090.001  ·
Share on: linkedin copy

Detects the execution of the "cloudflared" binary from a non standard location.

Sigma rule (View on GitHub)

 1title: Cloudflared Portable Execution
 2id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd
 3status: experimental
 4description: |
 5        Detects the execution of the "cloudflared" binary from a non standard location.
 6references:
 7    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
 8    - https://github.com/cloudflare/cloudflared
 9    - https://www.intrinsec.com/akira_ransomware/
10    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
11    - https://github.com/cloudflare/cloudflared/releases
12author: Nasreddine Bencherchali (Nextron Systems)
13tags:
14    - attack.command_and_control
15    - attack.t1090.001
16date: 2023/12/20
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\cloudflared.exe'
23    filter_main_admin_location:
24        Image|contains:
25            - ':\Program Files (x86)\cloudflared\'
26            - ':\Program Files\cloudflared\'
27    condition: selection and not 1 of filter_main_*
28falsepositives:
29    - Legitimate usage of Cloudflared portable versions
30level: medium

References

Related rules

to-top