Name:Windows Multi hop Proxy TOR Website Query id:4c2d198b-da58-48d7-ba27-9368732d0054 version:3 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:Anomaly Description:The following analytic identifies DNS queries to known TOR proxy websites, such as "*.torproject.org" and "www.theonionrouter.com". It leverages Sysmon EventCode 22 to detect these queries by monitoring DNS query events from endpoints. This activity is significant because adversaries often use TOR proxies to disguise the source of their malicious traffic, making it harder to trace their actions. If confirmed malicious, this behavior could indicate an attempt to obfuscate network traffic, potentially allowing attackers to exfiltrate data or communicate with command and control servers undetected. Data_source:
-Sysmon EventID 22
search:`sysmon` EventCode=22 QueryName IN ("*.torproject.org", "www.theonionrouter.com") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives:third party application may use this proxies if allowed in production environment. Filter is needed. References: -https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'AgentTesla' asset_type:Endpoint confidence:50 impact:50 message:a process $Image$ is having a dns query in a tor domain $QueryName$ in $dest$ mitre_attack_id: - 'T1071.003' - 'T1071' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Image' - 'QueryName' - 'QueryStatus' - 'ProcessId' - 'dest' risk_score:25 security_domain:endpoint
