some legitimate use cases include authorized tunneling for remote access or service exposure in enterprise environments. filter alerts for approved cloudflared deployments to reduce false positives.

Techniques

T1572

Sample rules

Windows Potential Cloudflared Network Connection

source: splunk
technicques:
- T1572

Description

This analytic detects network connection events possibly associated with the Cloudflared tool, a tool used to create tunnels via Cloudflare. Cloudflared is functionally very similar to ngrok, an ingress-as-a-service tool. It reaches out to the Cloudflare Edge Servers, creating an outbound connection over HTTPS(HTTP2/QUIC), where the tunnel’s controller makes services or private networks accessible.

Detection logic


| tstats `security_content_summariesonly`
   count min(_time) as firstTime
         max(_time) as lastTime
         values(All_Traffic.src_port) as src_port

from datamodel=Network_Traffic.All_Traffic where

All_Traffic.dest_port=7844

BY All_Traffic.action All_Traffic.app All_Traffic.dest
   All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.direction
   All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version
   All_Traffic.src All_Traffic.src_ip All_Traffic.transport
   All_Traffic.user All_Traffic.vendor_product


| `drop_dm_object_name(All_Traffic)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_potential_cloudflared_network_connection_filter`