security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add new rules related to cloudflared usage (#4243)

Browse Source
This commit is contained in:
BlueTeamOps
2023-05-18 01:21:23 +10:00
committed by GitHub
parent 7f3eff58e1
commit 7b90c00a45
2 changed files with 61 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml
+29
View File
@@ -0,0 +1,29 @@
title: Cloudflared Tunnel Connections Cleanup
id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
status: experimental
description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
references:
- https://github.com/cloudflare/cloudflared
- https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/05/17
tags:
- attack.command_and_control
- attack.t1102
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' tunnel '
- 'cleanup '
CommandLine|contains:
- ' --config '
- ' --connector-id '
condition: selection
falsepositives:
- Legitimate usage of Cloudflared.
level: medium
rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml
+32
View File
@@ -0,0 +1,32 @@
title: Cloudflared Tunnel Execution
id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
status: experimental
description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
references:
- https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
- https://github.com/cloudflare/cloudflared
- https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023/05/17
tags:
- attack.command_and_control
- attack.t1102
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' tunnel '
- ' run '
CommandLine|contains:
- ' --config '
- ' --credentials-contents '
- ' --credentials-file '
- ' --token '
condition: selection
falsepositives:
- Legitimate usage of Cloudflared.
level: medium