I was doing some testing with Cloudflare tunnels this weekend and I woke up this morning to see if funny honeypot messages I had, I quickly checked if the site was online and found a cloudflare error message. This is a just an IIS instance running on a windows 11 PC (with no WIFI or Bluetooth) plugged into a test network (so if it gets pwn3d, it’s not going to impact anything important).

Well I saw this:

So I went to RDP into the box and couldn’t get a connection, interesting…. did someone pwn this? or was this (more likely) a faux pas?

A quick dig into the system and we can see this:

Windows Defender has eaten both the installer and the service binary!

so Mystery Solved!

So that’s something to watch out for if you are using this for legitimate purposes (which should be the majority of usage should it not?!)

https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel

Things to consider

This tool and many other reverse tunnels can be used by staff for authorised and unauthorised purposes. They can also be abused by criminals as part of network intrusion events (such as ransomware).

Balancing security with functionality is an eternal struggle… am I glad it was ‘caught’ be defender? I’m not really sure. Can I see why actions like this causes some people to disable antivirus? sure.

My example here was a quick honeypot setup, but it could have been for personal usage or for business purposes. Knowing what you have, why you have it, how it works and how to detect abuse are important things when it comes to digital security. Most things are, dual use! They can be used for good or evil!