Skip to content

Hide Navigation Hide TOC

Cloudflared Quick Tunnel Execution (222129f7-f4dc-4568-b0d2-22440a9639ba)

Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware.

Cluster A Galaxy A Cluster B Galaxy B Level
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Cloudflared Quick Tunnel Execution (222129f7-f4dc-4568-b0d2-22440a9639ba) Sigma-Rules 1
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2