[willglynn]

> Furthermore, as Cloudflare Tunnel requires the installation of the 'cloudflared' client, defenders can detect its use by monitoring file hashes associated with client releases.

Is this effective? Presumably attackers could `go build` their own binaries to get equivalent clients with different hashes, or even combine the open-source `cloudflared` internals with a larger payload.

[neodymiumphish]

That's definitely true. What we saw in the instances we've observed were the legit binaries from Cloudflared directly. It's definitely possible for them to build their own varients to avoid basic hash detection, or to implement alternative connectivity instead of routing to Cloudflared infrastructure over 7844.