Cloudflared Tunnel Execution

calendar Nov 1, 2024 · attack.command-and-control attack.t1102 attack.t1090 attack.t1572  ·
Share on: linkedin copy

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Sigma rule (View on GitHub)

 1title: Cloudflared Tunnel Execution
 2id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
 3status: test
 4description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
 5references:
 6    - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
 7    - https://github.com/cloudflare/cloudflared
 8    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
 9author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
10date: 2023-05-17
11modified: 2023-12-20
12tags:
13    - attack.command-and-control
14    - attack.t1102
15    - attack.t1090
16    - attack.t1572
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        CommandLine|contains|all:
23            - ' tunnel '
24            - ' run '
25        CommandLine|contains:
26            - '-config '
27            - '-credentials-contents '
28            - '-credentials-file '
29            - '-token '
30    condition: selection
31falsepositives:
32    - Legitimate usage of Cloudflared tunnel.
33level: medium

References

  • Emergence of Akira Ransomware Group

    The Recon SOC recently worked an IR case involving the newly emerged Akira Ransomware Group and we want to share our findings with the community.


    Read More

  • GitHub - cloudflare/cloudflared: Cloudflare Tunnel client (formerly Argo Tunnel)

    Cloudflare Tunnel client (formerly Argo Tunnel). Contribute to cloudflare/cloudflared development by creating an account on GitHub.


    Read More

  • Cloudflare Tunnel | Cloudflare Zero Trust docs

    Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare's global network. Cloudflare Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.


    Read More

Related rules

to-top