Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Network Connection Initiated To Cloudflared Tunnels Domains

Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)Created Mon May 277cd1dcdc-6edf-4896-86dc-d1f19ad64903windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - '.v2.argotunnel.com'
            - 'protocol-v2.argotunnel.com'
            - 'trycloudflare.com'
            - 'update.argotunnel.com'
    condition: selection
False Positives

Legitimate use of cloudflare tunnels will also trigger this.

References
1
Resolving title…
defr0ggy.github.io
2
Resolving title…
guidepointsecurity.com
3
Resolving title…
Internal Research
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

Cloudflared Tunnels Related DNS Requests

Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
7cd1dcdc-6edf-4896-86dc-d1f19ad64903
Status
test
Level
medium
Type
Detection
Created
Mon May 27
Author
Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml
Raw Tags
attack.exfiltrationattack.command-and-controlattack.t1567attack.t1572
View on GitHub