```yaml title: Reverse Tunnel Tool Execution id: edr-win-c2-reverse-tunneling status: stable description: > Detects execution of common reverse tunneling tools — Cloudflared, ngrok, Ligolo/Ligolo-ng, and Chisel — via process name or PE display name. These tools create encrypted tunnels from internal networks to attacker infrastructure, bypassing firewall rules. Heavily abused by Akira (cloudflared), Qilin (ngrok), and TheGentlemen (ngrok + RustDesk). references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a - https://hunt.io/blog/thegentlemen-ransomware-toolkit-russian-proton66-server author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.command_and_control - attack.t1572 - attack.t1090 logsource: category: process_creation product: windows detection: selection_name: Image|contains: - 'ligolo' - 'cloudflared' - 'ngrok' - 'chisel' selection_displayname: Product|contains: - 'ligolo' - 'cloudflared' - 'ngrok' - 'chisel' condition: selection_name or selection_displayname falsepositives: - Authorized Cloudflare Tunnel deployments by IT - Developer use of ngrok for testing (should be policy-controlled) level: high ```