Network Connection Initiated To Cloudflared Tunnels Domains

Rule Info

Name
Network Connection Initiated To Cloudflared Tunnels Domains
Author
Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
Description
Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Reference
https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/
Date
2024-05-27 00:00:00
Modified
None
Id
7cd1dcdc-6edf-4896-86dc-d1f19ad64903
Tags
attack.exfiltration attack.command-and-control attack.t1567 attack.t1572
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=7cd1dcdc-6edf-4896-86dc-d1f19ad64903

Rule History

Author
Title
Date
Commit
Liran Ravich
Merge PR #5563 from @Liran017 - update MITRE tag
2025-07-30
f35469796
github-actions[bot]
Merge PR #5249 from @nasbench - Promote older rules status from `experimental` to `test`
2025-04-17
29ad6f961
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Florian Roth
Merge PR #4866 from @Neo23x0 - Update network connection rules
2024-05-31
2bf502fb9
Kamran Saifullah
Merge PR #4863 from @deFr0ggy - Add network connection counterpart rule for cloudflare tunnels
2024-05-27
2fcf25097
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022