Potential Protocol Tunneling via Cloudflared

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Potential Protocol Tunneling via Cloudflared

Identifies the use of Cloudflare Tunnel (cloudflared) to expose a local service or create an outbound tunnel. Adversaries may abuse quick tunnels (e.g. tunnel --url http://127.0.0.1:80) or named tunnels to proxy C2 traffic or exfiltrate data through Cloudflare’s edge while evading direct connection blocking.

Rule type: eql

Rule indices:

endgame-*
logs-crowdstrike.fdr*
logs-endpoint.events.process-*
logs-m365_defender.event-*
logs-sentinel_one_cloud_funnel.*
logs-system.security*
logs-windows.sysmon_operational-*
winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: SentinelOne
Data Source: Microsoft Defender for Endpoint
Data Source: Crowdstrike
Data Source: Elastic Endgame
Data Source: Windows Security Event Logs

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Potential Protocol Tunneling via Cloudflared

Cloudflare Tunnel (cloudflared) is a legitimate tool for exposing local services through Cloudflare’s edge. Adversaries abuse it to create quick or named tunnels for C2, data exfiltration, or ingress tool transfer while evading direct connection blocking.

Possible investigation steps

Confirm the process command line for tunnel, --url, or tunnel run to validate cloudflared tunnel usage.
Identify the parent process and process executable path; cloudflared run from temp or user writable locations is more suspicious than from Program Files.
For quick tunnel (--url http://...), identify the local URL and whether it could be a C2 callback or proxy.
Correlate with network data for outbound connections to Cloudflare IPs or trycloudflare.com-style hostnames around the same time.
Review the user and session that started the tunnel; look for other suspicious logon or execution from the same context.

False positive analysis

Legitimate use of Cloudflare Tunnel for development or internal services may trigger this rule; consider allowlisting by path or user for approved use cases.

Response and remediation

If unauthorized tunnel use is confirmed: isolate the host, terminate the cloudflared process, and block cloudflared or Cloudflare tunnel domains at DNS/firewall where policy permits.
Rotate credentials for any accounts that may have been exposed over the tunnel.

Rule query

edit

process where host.os.type == "windows" and event.type == "start" and
 (process.name : "cloudflared.exe" or ?process.pe.original_file_name == "cloudflared.exe" or ?process.code_signature.subject_name : "Cloudflare, Inc.") and process.args : "tunnel"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Protocol Tunneling
- ID: T1572
- Reference URL: https://attack.mitre.org/techniques/T1572/

« Remote Management Access Launch After MSI Install Potential Protocol Tunneling via Yuze »