Cloudflared Tunnel Connections Cleanup
Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
Sigma rule (View on GitHub)
1title: Cloudflared Tunnel Connections Cleanup
2id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
3status: experimental
4description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
5references:
6 - https://github.com/cloudflare/cloudflared
7 - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-05-17
10modified: 2023-12-21
11tags:
12 - attack.command-and-control
13 - attack.t1102
14 - attack.t1090
15 - attack.t1572
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|all:
22 - ' tunnel '
23 - 'cleanup '
24 CommandLine|contains:
25 - '-config '
26 - '-connector-id '
27 condition: selection
28falsepositives:
29 - Legitimate usage of Cloudflared.
30level: medium
References
Related rules
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Communication To Ngrok Tunneling Service - Linux
- Communication To Ngrok Tunneling Service Initiated