DNS events related to ToR proxies

Back


Id	a83ef0f4-dace-4767-bce3-ebd32599d2a0
Rulename	DNS events related to ToR proxies
Description	Identifies IP addresses performing DNS lookups associated with common ToR proxies.
Severity	Low
Tactics	Exfiltration
Techniques	T1048
Required data connectors	DNS
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_TorProxies.yaml
Version	1.0.3
Arm template	a83ef0f4-dace-4767-bce3-ebd32599d2a0.json

KQL

DnsEvents
| where Name contains "."
| where Name has_any ("tor2web.org", "tor2web.com", "torlink.co", "onion.to", "onion.ink", "onion.cab", "onion.nu", "onion.link",
"onion.it", "onion.city", "onion.direct", "onion.top", "onion.casa", "onion.plus", "onion.rip", "onion.dog", "tor2web.fi",
"tor2web.blutmagie.de", "onion.sh", "onion.lu", "onion.pet", "t2w.pw", "tor2web.ae.org", "tor2web.io", "tor2web.xyz", "onion.lt",
"s1.tor-gateways.de", "s2.tor-gateways.de", "s3.tor-gateways.de", "s4.tor-gateways.de", "s5.tor-gateways.de", "hiddenservice.net")
| extend HostName = iff(Computer has '.', substring(Computer,0,indexof(Computer,'.')),Computer)
| extend DnsDomain = iff(Computer has '.', substring(Computer,indexof(Computer,'.')+1),"")

YAML

status: Available
queryFrequency: 1d
queryPeriod: 1d
kind: Scheduled
version: 1.0.3
triggerThreshold: 0
description: |
    'Identifies IP addresses performing DNS lookups associated with common ToR proxies.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_TorProxies.yaml
requiredDataConnectors:
- connectorId: DNS
  dataTypes:
  - DnsEvents
id: a83ef0f4-dace-4767-bce3-ebd32599d2a0
tactics:
- Exfiltration
name: DNS events related to ToR proxies
triggerOperator: gt
relevantTechniques:
- T1048
query: |
  DnsEvents
  | where Name contains "."
  | where Name has_any ("tor2web.org", "tor2web.com", "torlink.co", "onion.to", "onion.ink", "onion.cab", "onion.nu", "onion.link",
  "onion.it", "onion.city", "onion.direct", "onion.top", "onion.casa", "onion.plus", "onion.rip", "onion.dog", "tor2web.fi",
  "tor2web.blutmagie.de", "onion.sh", "onion.lu", "onion.pet", "t2w.pw", "tor2web.ae.org", "tor2web.io", "tor2web.xyz", "onion.lt",
  "s1.tor-gateways.de", "s2.tor-gateways.de", "s3.tor-gateways.de", "s4.tor-gateways.de", "s5.tor-gateways.de", "hiddenservice.net")
  | extend HostName = iff(Computer has '.', substring(Computer,0,indexof(Computer,'.')),Computer)
  | extend DnsDomain = iff(Computer has '.', substring(Computer,indexof(Computer,'.')+1),"")  
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: ClientIP
  entityType: IP
severity: Low

ARM