frack113
52 lines
1.4 KiB
YAML
52 lines
1.4 KiB
YAML
title: DNS TOR Proxies
|
|
id: a8322756-015c-42e7-afb1-436e85ed3ff5
|
|
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
|
|
references:
|
|
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml
|
|
date: 2021/08/15
|
|
author: Saw Winn Naung , Azure-Sentinel
|
|
level: medium
|
|
logsource:
|
|
service: dns
|
|
product: zeek
|
|
tags:
|
|
- attack.t1048
|
|
detection:
|
|
selection:
|
|
query:
|
|
- "tor2web.org"
|
|
- "tor2web.com"
|
|
- "torlink.co"
|
|
- "onion.to"
|
|
- "onion.ink"
|
|
- "onion.cab"
|
|
- "onion.nu"
|
|
- "onion.link"
|
|
- "onion.it"
|
|
- "onion.city"
|
|
- "onion.direct"
|
|
- "onion.top"
|
|
- "onion.casa"
|
|
- "onion.plus"
|
|
- "onion.rip"
|
|
- "onion.dog"
|
|
- "tor2web.fi"
|
|
- "tor2web.blutmagie.de"
|
|
- "onion.sh"
|
|
- "onion.lu"
|
|
- "onion.pet"
|
|
- "t2w.pw"
|
|
- "tor2web.ae.org"
|
|
- "tor2web.io"
|
|
- "tor2web.xyz"
|
|
- "onion.lt"
|
|
- "s1.tor-gateways.de"
|
|
- "s2.tor-gateways.de"
|
|
- "s3.tor-gateways.de"
|
|
- "s4.tor-gateways.de"
|
|
- "s5.tor-gateways.de"
|
|
- "hiddenservice.net"
|
|
condition: selection
|
|
fields:
|
|
- clientip
|