Techniques
Sample rules
Cloudflared Tunnel Connections Cleanup
- source: sigma
- technicques:
- t1090
- t1102
- t1572
Description
Detects execution of the “cloudflared” tool with the tunnel “cleanup” flag in order to cleanup tunnel connections.
Detection logic
condition: selection
selection:
CommandLine|contains:
- '-config '
- '-connector-id '
CommandLine|contains|all:
- ' tunnel '
- 'cleanup '