Cloudflare Tunnel (cloudflared) Abuse for Protocol Tunneling
Adversaries are abusing Cloudflare Tunnel (cloudflared) to create outbound tunnels and proxy command and control traffic, or exfiltrate data, evading direct connection blocking by routing traffic through Cloudflare's edge.
Cloudflare Tunnel (cloudflared) is a legitimate tool designed to expose local services securely through Cloudflare's network. Threat actors are abusing this tool to establish covert communication channels, proxy command and control (C2) traffic, and exfiltrate sensitive data. By leveraging Cloudflare's infrastructure, attackers can effectively bypass traditional network security measures and evade detection based on direct connection blocking. This technique allows for the creation of quick tunnels (e.g., using the --url parameter) or named tunnels, offering flexibility in establishing and maintaining a persistent presence within compromised environments. Defenders should be aware of unusual cloudflared process executions, especially when originating from non-standard locations or user profiles.
Attack Chain
- The attacker gains initial access to a target Windows system, potentially through exploitation of a vulnerability or credential compromise.
- The attacker downloads the
cloudflared.exebinary to the compromised host, often placing it in a non-standard directory such asC:\Users\<username>\AppData\Local\Temp. - The attacker executes
cloudflared.exewith thetunnelcommand and arguments to create a quick tunnel, mapping a local port (e.g., 127.0.0.1:8080) to a Cloudflare-provided endpoint. - The attacker configures their C2 server or data exfiltration tool to communicate with the local port being tunneled by
cloudflared.exe. - All traffic between the compromised host and the C2 server or exfiltration point is now routed through the Cloudflare tunnel, masking the destination IP address and port.
- The attacker maintains persistence by scheduling a task or modifying a registry key to automatically restart the
cloudflared.exeprocess after system reboots. - The attacker uses the established tunnel to execute commands on the compromised host or to exfiltrate sensitive data to an external location.
- The attacker removes traces of the cloudflared installation and execution from the system logs to prevent detection, as much as possible.
Impact
Successful exploitation of Cloudflare Tunnel can lead to significant compromise, including data exfiltration, command and control of infected systems, and the establishment of persistent backdoors. Due to the nature of tunneling through a legitimate service like Cloudflare, detection can be challenging. If successful, this could impact any organization utilizing Windows systems and can lead to financial loss and reputational damage. The number of victims and sectors targeted remain unknown, but this technique is a common method used to bypass network security.
Recommendation
- Monitor process creation events for
cloudflared.exeexecutions, especially those originating from unusual locations like temporary directories (C:\Users\<username>\AppData\Local\Temp) using the Sigma ruleDetect Cloudflared Execution from Suspicious Location. - Inspect command-line arguments of
cloudflared.exeprocesses for the presence oftunnel,--url, ortunnel runto identify potential tunnel creation attempts as seen in the primary rule. - Monitor network connections for outbound traffic to Cloudflare IPs or domains like
trycloudflare.cominitiated by uncommon processes to identify potential tunneling activity, as described in the overview section. - Block the domain
trycloudflare.comat the DNS resolver to prevent connections to potentially malicious Cloudflare tunnels, based on the IOC identified.
Detection coverage 3
Detect Cloudflared Execution from Suspicious Location
highDetects cloudflared.exe execution from suspicious locations like the user's temp directory.
Detect Cloudflared Process Name and Arguments
mediumDetects cloudflared.exe execution with tunnel arguments
Detect Cloudflared Code Signature
mediumDetects cloudflared.exe execution based on code signature of Cloudflare, Inc.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
domain
| Type | Value |
|---|---|
| domain | trycloudflare.com |