Detectionmediumtest

Cloudflared Tunnels Related DNS Requests

Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Dec 20a1d9eec5-33b2-4177-8d24-27fe754d0812windows

Log Source

WindowsDNS Query

ProductWindows← raw: windows

CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic

detection:
    selection:
        QueryName|endswith:
            - '.v2.argotunnel.com'
            - 'protocol-v2.argotunnel.com'
            - 'trycloudflare.com'
            - 'update.argotunnel.com'
    condition: selection

False Positives

Legitimate use of cloudflare tunnels will also trigger this.

References

Resolving title…

guidepointsecurity.com

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Techniques

T1572 · Protocol Tunneling

Sub-techniques

T1071.001 · Web Protocols

Related Rules

SimilarDetectionmedium

Network Connection Initiated To Cloudflared Tunnels Domains

Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

a1d9eec5-33b2-4177-8d24-27fe754d0812

Status

test

Level

medium

Type

Detection

Created

Wed Dec 20

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/dns_query/dns_query_win_cloudflared_communication.yml

Raw Tags

attack.command-and-controlattack.t1071.001attack.t1572

View on GitHub