Cloudflared Tunnels Related DNS Requests

Rule Info

Name
Cloudflared Tunnels Related DNS Requests
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Reference
https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
Date
2023-12-20 00:00:00
Modified
None
Id
a1d9eec5-33b2-4177-8d24-27fe754d0812
Tags
attack.command-and-control attack.t1071.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=a1d9eec5-33b2-4177-8d24-27fe754d0812

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5065 from @nasbench - Promote older rules status from `experimental` to `test`
2024-11-01
f53335056
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Kamran Saifullah
Merge PR #4863 from @deFr0ggy - Add network connection counterpart rule for cloudflare tunnels
2024-05-27
2fcf25097
Sajid Nawaz Khan
Merge PR #4628 from @ssnkhan - New: Detect Creation of Cloudflared Quick Tunnels
2023-12-21
d88e55651
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022