Techniques
Sample rules
Cloudflared Portable Execution
- source: sigma
- technicques:
- t1090
- t1090.001
Description
Detects the execution of the “cloudflared” binary from a non standard location.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_admin_location:
Image|contains:
- :\Program Files (x86)\cloudflared\
- :\Program Files\cloudflared\
selection:
Image|endswith: \cloudflared.exe