Adversaries may use DNS lookups to communicate with ToR proxies to mask their network activity and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert command and control channels or exfiltration attempts.
KQL Query
let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co", "onion.to", "onion.ink", "onion.cab", "onion.nu", "onion.link",
"onion.it", "onion.city", "onion.direct", "onion.top", "onion.casa", "onion.plus", "onion.rip", "onion.dog", "tor2web.fi",
"tor2web.blutmagie.de", "onion.sh", "onion.lu", "onion.pet", "t2w.pw", "tor2web.ae.org", "tor2web.io", "tor2web.xyz", "onion.lt",
"s1.tor-gateways.de", "s2.tor-gateways.de", "s3.tor-gateways.de", "s4.tor-gateways.de", "s5.tor-gateways.de", "hiddenservice.net"]);
_Im_Dns(domain_has_any=torProxies)
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
id: 3fe3c520-04f1-44b8-8398-782ed21435f8
name: DNS events related to ToR proxies (ASIM DNS Schema)
description: |
'Identifies IP addresses performing DNS lookups associated with common ToR proxies.
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
severity: Low
requiredDataConnectors:
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_dns_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_TorProxies.yaml
version: 1.0.0
- Schema: ASIMDns
SchemaVersion: 0.1.1
query: |
let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co", "onion.to", "onion.ink", "onion.cab", "onion.nu", "onion.link",
"onion.it", "onion.city", "onion.direct", "onion.top", "onion.casa", "onion.plus", "onion.rip", "onion.dog", "tor2web.fi",
"tor2web.blutmagie.de", "onion.sh", "onion.lu", "onion.pet", "t2w.pw", "tor2web.ae.org", "tor2web.io", "tor2web.xyz", "onion.lt",
"s1.tor-gateways.de", "s2.tor-gateways.de", "s3.tor-gateways.de", "s4.tor-gateways.de", "s5.tor-gateways.de", "hiddenservice.net"]);
_Im_Dns(domain_has_any=torProxies)
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Dvc
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.3.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Yaron Fruchtmann
support:
tier: Community
categories:
domains: [ "Security - Network" ]Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main
Scenario: Legitimate DNS lookups by a system management tool (e.g., Microsoft System Center Configuration Manager (SCCM)) during inventory or patching processes.
Filter/Exclusion: Exclude DNS queries originating from known SCCM servers or IP ranges used by SCCM in the environment.
Scenario: Scheduled job running a script that uses a Tor proxy for internal testing or anonymized data collection (e.g., Python scripts using Tor via PySocks).
Filter/Exclusion: Exclude DNS queries initiated from known internal test servers or IP ranges used for development and testing.
Scenario: DNS resolution for internal services that use a Tor proxy for secure internal communication (e.g., internal API gateways or secure tunnels).
Filter/Exclusion: Exclude DNS queries for internal service domains or IP ranges that are known to use Tor for internal purposes.
Scenario: DNS lookups performed by a security tool (e.g., CrowdStrike Falcon or Microsoft Defender for Endpoint) as part of threat intelligence updates or malware analysis.
Filter/Exclusion: Exclude DNS queries from known security tool IP ranges or hostnames used by endpoint protection platforms.
Scenario: DNS resolution for a legitimate third-party service that uses a Tor proxy for privacy (e.g., some cloud-based analytics or compliance tools).
Filter/Exclusion: Exclude DNS queries for known third-party services that are whitelisted or have been confirmed to use Tor for legitimate purposes.