legitimate use of cloudflare tunnels will also trigger this.

t1071
t1071.001
t1567
t1567.001
windows
sigma

Techniques

t1071
t1071.001
t1567
t1567.001

Sample rules

source: sigma
technicques:
- t1071
- t1071.001

Description

Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Detection logic

condition: selection
selection:
  QueryName|endswith:
  - .v2.argotunnel.com
  - protocol-v2.argotunnel.com
  - trycloudflare.com
  - update.argotunnel.com

Network Connection Initiated To Cloudflared Tunnels Domains

source: sigma
technicques:
- t1567
- t1567.001

Description

Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Detection logic

condition: selection
selection:
  DestinationHostname|endswith:
  - .v2.argotunnel.com
  - protocol-v2.argotunnel.com
  - trycloudflare.com
  - update.argotunnel.com
  Initiated: 'true'

Techniques

Sample rules

Cloudflared Tunnels Related DNS Requests

Description

Detection logic

Network Connection Initiated To Cloudflared Tunnels Domains

Description

Detection logic