Reverse-Proxy

This brief detects network connection events associated with the Cloudflared tool, used to create tunnels via Cloudflare, potentially for unauthorized access or exfiltration, by establishing outbound connections to Cloudflare Edge Servers.

Attackers are increasingly abusing Cloudflare tunnels, created via the cloudflared client, for establishing stealthy command and control channels and evading network defenses by proxying traffic through Cloudflare's infrastructure.

The execution of Microsoft devtunnels.exe can be abused by attackers to expose compromised systems to the internet, establish covert communication channels, and bypass network security measures, facilitating data exfiltration or command-and-control.

This detection identifies potential misuse of Microsoft Devtunnels within Visual Studio by detecting image load events, indicating that an attacker could expose a compromised system or service to the internet for covert communication and data exfiltration.