Cloudflared Tunnel Connections Cleanup
Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
Sigma rule (View on GitHub)
1title: Cloudflared Tunnel Connections Cleanup
2id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
3status: test
4description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
5references:
6 - https://github.com/cloudflare/cloudflared
7 - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-05-17
10modified: 2023-12-21
11tags:
12 - attack.command-and-control
13 - attack.t1102
14 - attack.t1090
15 - attack.t1572
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|all:
22 - ' tunnel '
23 - 'cleanup '
24 CommandLine|contains:
25 - '-config '
26 - '-connector-id '
27 condition: selection
28falsepositives:
29 - Legitimate usage of Cloudflared.
30level: medium
References
-
Cloudflare Tunnel client (formerly Argo Tunnel). Contribute to cloudflare/cloudflared development by creating an account on GitHub.
Read More -
Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare's global network. Cloudflare Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.
Read More
Related rules
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Communication To Ngrok Tunneling Service - Linux
- Communication To Ngrok Tunneling Service Initiated