legitimate usage of cloudflared tunnel.

t1090
t1102
t1572
windows
sigma

Techniques

t1090
t1102
t1572

Sample rules

Cloudflared Tunnel Execution

source: sigma
technicques:
- t1090
- t1102
- t1572

Description

Detects execution of the “cloudflared” tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - '-config '
  - '-credentials-contents '
  - '-credentials-file '
  - '-token '
  CommandLine|contains|all:
  - ' tunnel '
  - ' run '