Techniques
Sample rules
Windows Multi hop Proxy TOR Website Query
- source: splunk
- technicques:
- T1071.003
- T1071
Description
The following analytic identifies a dns query to a known TOR proxy website. This technique was seen in several adversaries, threat actors and malware like AgentTesla to To disguise the source of its malicious traffic. adversaries may chain together multiple proxies. This Anomaly detection might be a good pivot for a process trying to download or use TOR proxies in a compromised host machine.
Detection logic
`sysmon` EventCode=22 QueryName IN ("*.torproject.org", "www.theonionrouter.com")
| stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_multi_hop_proxy_tor_website_query_filter`