Basic TOR Traffic Detection

Basic TOR Traffic Detection

Description

The anonymity of TOR makes it the perfect place to hide C&C, exfiltration, or ransomware payment via bitcoin. This example looks for ransomware activity based on FW logs.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Command and Control, Endpoint Compromise, Ransomware, Zero Trust

Alert Volume

Low

SPL Difficulty

Basic

Data Availability

Bad

Journey

Stage 1

MITRE ATT&CK Tactics

Exfiltration
Command and Control

MITRE ATT&CK Techniques

Exfiltration Over C2 Channel
Exfiltration Over Alternative Protocol
Application Layer Protocol
Non-Application Layer Protocol
Multi-hop Proxy
Proxy
Multi-hop Proxy

MITRE Threat Groups

APT29
APT32
Gamaredon Group
PLATINUM
Soft Cell
Ke3chang
Lazarus Group
APT3
Turla
Frankenstein
Dragonfly 2.0
Wizard Spider
APT41
Rocke
FIN6
Kimsuky
MuddyWater
Stealth Falcon
Sandworm Team
Magic Hound
Blue Mockingbird

Kill Chain Phases

Command and Control

Data Sources

Network Communication

   How to Implement

This use case requires you to index data from a source that does protocol analysis to determine the type of network traffic being used, regardless of the port associated with the traffic. This data is often available from next-generation firewalls or other traffic analysis tools such as Splunk Stream or Bro.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will to verify with the system owner that the traffic generated was by them. Verify with corporate policies if TOR is allowed in your environment.

   Help

Basic TOR Traffic Detection Help

The anonymity of TOR makes it the perfect place for hackers who want to anonymize command and control or network connections. Many forms of ransomware install a TOR client to facilitate their payment via bitcoin. This use case analyzes your network traffic data to identify hosts that are generating TOR traffic within your environment.

SPL for Basic TOR Traffic Detection

Demo Data

First we load our NGFW demo data
We filter for where the firewall detects the presence of tor, and where we know the source_ip involved.
Finally we put everything in a table so that it's easy to use.

Live Data

First we load our NGFW data (we include many different options here -- you should specify the index and sourcetype for the device that exists in your environment. Then we filter for where the firewall detects the presence of tor, and where we know the source_ip involved.
Finally we put everything in a table so that it's easy to use.

Accelerated Data

First we load our NGFW data. Then we filter for where the firewall detects the presence of tor, and where we know the source_ip, dest_ip, and dest_port involved.
Then we rename to make our search more readable
Finally we put everything in a table so that it's easy to use.