security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b8e67f13d5bf39d690da91cae2066312efd3bd00
blue-team-tools/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml
T
Kamran Saifullah 2fcf250978 Merge PR #4863 from @deFr0ggy - Add network connection counterpart rule for cloudflare tunnels 
update: Cloudflared Tunnels Related DNS Requests - Update description and related field
new: Network Connection Initiated To Cloudflared Tunnels Domains
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-05-27 13:10:06 +02:00

32 lines
992 B
YAML
Raw Blame History

title: Cloudflared Tunnels Related DNS Requests
id: a1d9eec5-33b2-4177-8d24-27fe754d0812
related:
- id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
type: similar
status: experimental
description: |
Detects DNS requests to Cloudflared tunnels domains.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/12/20
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|endswith:
- '.v2.argotunnel.com'
- 'protocol-v2.argotunnel.com'
- 'trycloudflare.com'
- 'update.argotunnel.com'
condition: selection
falsepositives:
- Legitimate use of cloudflare tunnels will also trigger this.
level: medium
Reference in New Issue View Git Blame Copy Permalink