Back to Rule

Rule History

SID: 2068665 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 2Apr 9, 2026, 12:00 PM

ET HUNTING Archive/Executable File Hosted via Cloudflare Services (* .workers .dev)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Archive/Executable File Hosted via Cloudflare Services (* .workers .dev)"; flow:established,to_server; http.host; content:".workers.dev"; fast_pattern; endswith; http.uri; content:"."; pcre:"/^(?:wsf|js|jse|vbs|vbe|bat|cmd|ps1|hta|lnk|url|scr|msi|cpl|sh|bash|zsh|py|pl|rb|php|jar|app|command|pkg|dmg|run|bin|tar|tgz|zip|7z)(?:$|[?#&])/Ri"; reference:url,cofense.com/blog/how-cloudflare-services-are-abused-for-credential-theft-and-malware-distribution; reference:url,developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/; classtype:misc-activity; sid:2068665; rev:2; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_04_09, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Informational, updated_at 2026_05_21; target:src_ip;)

Apr 9, 2026, 12:00 PM

May 21, 2026, 12:00 PM

Apr 9, 2026, 9:35 PM

May 21, 2026, 9:34 PM

rules/emerging-hunting.rules