security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
889efd1663f0781e110f32e8e81e88a311e6c500
blue-team-tools/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml
T
Sajid Nawaz Khan d88e556516 Merge PR #4628 from @ssnkhan - New: Detect Creation of Cloudflared Quick Tunnels 
new: Cloudflared Tunnels Related DNS Requests
new: Cloudflared Portable Execution
new: Cloudflared Quick Tunnel Execution
new: Renamed Cloudflared.EXE Execution
update: Cloudflared Tunnel Connections Cleanup - Enhanced CLI flag selection to remove the unnecessary double dash
update: Cloudflared Tunnel Execution - Enhanced CLI flag selection to remove the unnecessary double dash

---------

Co-authored-by: Sajid Nawaz Khan <snkhan@Sajids-MacBook-Pro.local>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2023-12-21 12:32:08 +01:00

27 lines
821 B
YAML
Raw Blame History

title: Cloudflared Tunnels Related DNS Requests
id: a1d9eec5-33b2-4177-8d24-27fe754d0812
status: experimental
description: Detects DNS query requests to Cloudflared tunnels domains.
references:
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/12/20
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|endswith:
- '.v2.argotunnel.com'
- 'protocol-v2.argotunnel.com'
- 'trycloudflare.com'
- 'update.argotunnel.com'
condition: selection
falsepositives:
- Legitimate use of cloudflare tunnels will also trigger this.
level: medium
Reference in New Issue View Git Blame Copy Permalink