Merge PR #4628 from @ssnkhan - New: Detect Creation of Cloudflared Qu…

…ick Tunnels new: Cloudflared Tunnels Related DNS Requests new: Cloudflared Portable Execution new: Cloudflared Quick Tunnel Execution new: Renamed Cloudflared.EXE Execution update: Cloudflared Tunnel Connections Cleanup - Enhanced CLI flag selection to remove the unnecessary double dash update: Cloudflared Tunnel Execution - Enhanced CLI flag selection to remove the unnecessary double dash --------- Co-authored-by: Sajid Nawaz Khan <[email protected]> Co-authored-by: nasbench <[email protected]>
SigmaHQ · Dec 21, 2023 · d88e556 · d88e556
1 parent 267de25
commit d88e556
Show file tree

Hide file tree

Showing 6 changed files with 241 additions and 7 deletions.
diff --git a/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml b/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml
@@ -0,0 +1,26 @@
+title: Cloudflared Tunnels Related DNS Requests
+id: a1d9eec5-33b2-4177-8d24-27fe754d0812
+status: experimental
+description: Detects DNS query requests to Cloudflared tunnels domains.
+references:
+    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
+    - Internal Research
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/12/20
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    selection:
+        QueryName|endswith:
+            - '.v2.argotunnel.com'
+            - 'protocol-v2.argotunnel.com'
+            - 'trycloudflare.com'
+            - 'update.argotunnel.com'
+    condition: selection
+falsepositives:
+    - Legitimate use of cloudflare tunnels will also trigger this.
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml
@@ -0,0 +1,30 @@
+title: Cloudflared Portable Execution
+id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd
+status: experimental
+description: |
+    Detects the execution of the "cloudflared" binary from a non standard location.
+references:
+    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
+    - https://github.com/cloudflare/cloudflared
+    - https://www.intrinsec.com/akira_ransomware/
+    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
+    - https://github.com/cloudflare/cloudflared/releases
+author: Nasreddine Bencherchali (Nextron Systems)
+tags:
+    - attack.command_and_control
+    - attack.t1090.001
+date: 2023/12/20
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\cloudflared.exe'
+    filter_main_admin_location:
+        Image|contains:
+            - ':\Program Files (x86)\cloudflared\'
+            - ':\Program Files\cloudflared\'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Legitimate usage of Cloudflared portable versions
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml
@@ -0,0 +1,88 @@
+title: Cloudflared Quick Tunnel Execution
+id: 222129f7-f4dc-4568-b0d2-22440a9639ba
+related:
+    - id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
+      type: similar
+    - id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
+      type: similar
+status: experimental
+description: |
+    Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.
+    The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.
+    The tool has been observed in use by threat groups including Akira ransomware.
+references:
+    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
+    - https://github.com/cloudflare/cloudflared
+    - https://www.intrinsec.com/akira_ransomware/
+    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
+author: Sajid Nawaz Khan
+tags:
+    - attack.command_and_control
+    - attack.t1090.001
+date: 2023/12/20
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\cloudflared.exe'
+              - '\cloudflared-windows-386.exe'
+              - '\cloudflared-windows-amd64.exe'
+        - Hashes|contains:
+              - 'SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29'
+              - 'SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8'
+              - 'SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039'
+              - 'SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28'
+              - 'SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7'
+              - 'SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373'
+              - 'SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670'
+              - 'SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a'
+              - 'SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0'
+              - 'SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1'
+              - 'SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2'
+              - 'SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac'
+              - 'SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f'
+              - 'SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d'
+              - 'SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499'
+              - 'SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b'
+              - 'SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f'
+              - 'SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032'
+              - 'SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234'
+              - 'SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f'
+              - 'SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058'
+              - 'SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c'
+              - 'SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f'
+              - 'SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5'
+              - 'SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3'
+              - 'SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4'
+              - 'SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c'
+              - 'SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4'
+              - 'SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f'
+              - 'SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad'
+              - 'SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7'
+              - 'SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75'
+              - 'SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6'
+              - 'SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688'
+              - 'SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f'
+              - 'SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663'
+              - 'SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77'
+              - 'SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078'
+    # Note:
+    #   Accounts for the cloudflared binaries being renamed
+    #   `tunnel` is optional, but has been included to reduce the possibility of parameter collision when not observed with known binary names
+    selection_param:
+        - CommandLine|contains|all:
+              - '-url'
+              - 'tunnel'
+        - CommandLine|contains:
+              - '.exe -url'
+              - '.exe --url'
+    selection_other:
+        CommandLine|contains|all:
+            - '-url'
+            - '-no-autoupdate'
+    condition: (selection_img and selection_param) or selection_other
+falsepositives:
+    - Legitimate usage of Cloudflare Quick Tunnel
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml
@@ -7,6 +7,7 @@ references:
     - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/17
+modified: 2023/12/21
 tags:
     - attack.command_and_control
     - attack.t1102
@@ -21,8 +22,8 @@ detection:
             - ' tunnel '
             - 'cleanup '
         CommandLine|contains:
-            - ' --config '
-            - ' --connector-id '
+            - '-config '
+            - '-connector-id '
     condition: selection
 falsepositives:
     - Legitimate usage of Cloudflared.

diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml
@@ -8,6 +8,7 @@ references:
     - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
 author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/17
+modified: 2023/12/20
 tags:
     - attack.command_and_control
     - attack.t1102
@@ -22,11 +23,11 @@ detection:
             - ' tunnel '
             - ' run '
         CommandLine|contains:
-            - ' --config '
-            - ' --credentials-contents '
-            - ' --credentials-file '
-            - ' --token '
+            - '-config '
+            - '-credentials-contents '
+            - '-credentials-file '
+            - '-token '
     condition: selection
 falsepositives:
-    - Legitimate usage of Cloudflared.
+    - Legitimate usage of Cloudflared tunnel.
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml b/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml
@@ -0,0 +1,88 @@
+title: Renamed Cloudflared.EXE Execution
+id: e0c69ebd-b54f-4aed-8ae3-e3467843f3f0
+status: experimental
+description: Detects the execution of a renamed "cloudflared" binary.
+references:
+    - https://github.com/cloudflare/cloudflared/releases
+    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
+    - https://github.com/cloudflare/cloudflared
+    - https://www.intrinsec.com/akira_ransomware/
+    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
+tags:
+    - attack.command_and_control
+    - attack.t1090.001
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/12/20
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cleanup:
+        CommandLine|contains|all:
+            - ' tunnel '
+            - 'cleanup '
+        CommandLine|contains:
+            - '-config '
+            - '-connector-id '
+    selection_tunnel:
+        CommandLine|contains|all:
+            - ' tunnel '
+            - ' run '
+        CommandLine|contains:
+            - '-config '
+            - '-credentials-contents '
+            - '-credentials-file '
+            - '-token '
+    selection_accountless:
+        CommandLine|contains|all:
+            - '-url'
+            - 'tunnel'
+    selection_hashes:
+        Hashes|contains:
+            - 'SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29'
+            - 'SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8'
+            - 'SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039'
+            - 'SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28'
+            - 'SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7'
+            - 'SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373'
+            - 'SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670'
+            - 'SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a'
+            - 'SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0'
+            - 'SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1'
+            - 'SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2'
+            - 'SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac'
+            - 'SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f'
+            - 'SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d'
+            - 'SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499'
+            - 'SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b'
+            - 'SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f'
+            - 'SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032'
+            - 'SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234'
+            - 'SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f'
+            - 'SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058'
+            - 'SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c'
+            - 'SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f'
+            - 'SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5'
+            - 'SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3'
+            - 'SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4'
+            - 'SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c'
+            - 'SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4'
+            - 'SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f'
+            - 'SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad'
+            - 'SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7'
+            - 'SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75'
+            - 'SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6'
+            - 'SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688'
+            - 'SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f'
+            - 'SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663'
+            - 'SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77'
+            - 'SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078'
+    filter_main_known_names:
+        Image|endswith:
+            - '\cloudflared.exe'
+            - '\cloudflared-windows-386.exe'
+            - '\cloudflared-windows-amd64.exe'
+    condition: 1 of selection_* and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high