DNS TOR Proxies
Identifies IPs performing DNS lookups associated with common Tor proxies.
Sigma rule (View on GitHub)
1title: DNS TOR Proxies
2id: a8322756-015c-42e7-afb1-436e85ed3ff5
3status: test
4description: Identifies IPs performing DNS lookups associated with common Tor proxies.
5references:
6 - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
7author: Saw Winn Naung , Azure-Sentinel
8date: 2021-08-15
9modified: 2022-10-09
10tags:
11 - attack.exfiltration
12 - attack.t1048
13logsource:
14 service: dns
15 product: zeek
16detection:
17 selection:
18 query:
19 - 'tor2web.org'
20 - 'tor2web.com'
21 - 'torlink.co'
22 - 'onion.to'
23 - 'onion.ink'
24 - 'onion.cab'
25 - 'onion.nu'
26 - 'onion.link'
27 - 'onion.it'
28 - 'onion.city'
29 - 'onion.direct'
30 - 'onion.top'
31 - 'onion.casa'
32 - 'onion.plus'
33 - 'onion.rip'
34 - 'onion.dog'
35 - 'tor2web.fi'
36 - 'tor2web.blutmagie.de'
37 - 'onion.sh'
38 - 'onion.lu'
39 - 'onion.pet'
40 - 't2w.pw'
41 - 'tor2web.ae.org'
42 - 'tor2web.io'
43 - 'tor2web.xyz'
44 - 'onion.lt'
45 - 's1.tor-gateways.de'
46 - 's2.tor-gateways.de'
47 - 's3.tor-gateways.de'
48 - 's4.tor-gateways.de'
49 - 's5.tor-gateways.de'
50 - 'hiddenservice.net'
51 condition: selection
52fields:
53 - clientip
54falsepositives:
55 - Unknown
56level: medium
References
-
Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel
Read More
Related rules
- Copy From Or To Admin Share Or Sysvol Folder
- Powershell DNSExfiltration
- Suspicious Redirection to Local Admin Share
- Tap Driver Installation
- Tap Driver Installation - Security