diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml
new file mode 100644
index 000000000..dd9a28ac9
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml
@@ -0,0 +1,29 @@
+title: Cloudflared Tunnel Connections Cleanup
+id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
+status: experimental
+description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
+references:
+    - https://github.com/cloudflare/cloudflared
+    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/17
+tags:
+    - attack.command_and_control
+    - attack.t1102
+    - attack.t1090
+    - attack.t1572
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - ' tunnel '
+            - 'cleanup '
+        CommandLine|contains:
+            - ' --config '
+            - ' --connector-id '
+    condition: selection
+falsepositives:
+    - Legitimate usage of Cloudflared.
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml
new file mode 100644
index 000000000..c650c6561
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml
@@ -0,0 +1,32 @@
+title: Cloudflared Tunnel Execution
+id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
+status: experimental
+description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
+references:
+    - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
+    - https://github.com/cloudflare/cloudflared
+    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
+author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/17
+tags:
+    - attack.command_and_control
+    - attack.t1102
+    - attack.t1090
+    - attack.t1572
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - ' tunnel '
+            - ' run '
+        CommandLine|contains:
+            - ' --config '
+            - ' --credentials-contents '
+            - ' --credentials-file '
+            - ' --token '
+    condition: selection
+falsepositives:
+    - Legitimate usage of Cloudflared.
+level: medium