Cloudflared Tunnel Execution

Rule Info

Name
Cloudflared Tunnel Execution
Author
Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
Reference
https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
Date
2023-05-17 00:00:00
Modified
2023-12-20 00:00:00
Id
9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
Tags
attack.command-and-control attack.t1102 attack.t1090 attack.t1572
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9a019ffc-3580-4c9d-8d87-079f7e8d3fd4

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5065 from @nasbench - Promote older rules status from `experimental` to `test`
2024-11-01
f53335056
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Sajid Nawaz Khan
Merge PR #4628 from @ssnkhan - New: Detect Creation of Cloudflared Quick Tunnels
2023-12-21
d88e55651
BlueTeamOps
feat: add new rules related to cloudflared usage (#4243)
2023-05-18
7b90c00a4
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022