← Back to Explore
sigmamediumHunting
Cloudflared Tunnel Execution
Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
Detection Query
selection:
CommandLine|contains|all:
- " tunnel "
- " run "
CommandLine|contains:
- "-config "
- "-credentials-contents "
- "-credentials-file "
- "-token "
condition: selection
Author
Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
Created
2023-05-17
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.command-and-controlattack.t1102attack.t1090attack.t1572
Raw Content
title: Cloudflared Tunnel Execution
id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
status: test
description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
references:
- https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
- https://github.com/cloudflare/cloudflared
- https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-20
tags:
- attack.command-and-control
- attack.t1102
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' tunnel '
- ' run '
CommandLine|contains:
- '-config '
- '-credentials-contents '
- '-credentials-file '
- '-token '
condition: selection
falsepositives:
- Legitimate usage of Cloudflared tunnel.
level: medium