Network Connection Initiated To Cloudflared Tunnels Domains

Rule Info

Name
Network Connection Initiated To Cloudflared Tunnels Domains
Author
Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
Description
Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Date
2024-05-27 00:00:00
Modified
None
Id
7cd1dcdc-6edf-4896-86dc-d1f19ad64903
Tags
attack.exfiltration attack.command_and_control attack.t1567.001 DEMO
Type
Community Rule

Rule History

Author
Title
Date
Commit
Kamran Saifullah
Merge PR #4863 from @deFr0ggy - Add network connection counterpart rule for cloudflare tunnels
2024-05-27