Basic TOR Traffic Detection

Description

The anonymity of TOR makes it the perfect place to hide C&C, exfiltration, or ransomware payment via bitcoin. This example looks for ransomware activity based on FW logs.


Use Case

Advanced Threat Detection

Category

Command and Control, Endpoint Compromise

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Exfiltration
Command and Control

MITRE ATT&CK Techniques

Exfiltration Over Command and Control Channel
Exfiltration Over Alternative Protocol
Standard Application Layer Protocol
Standard Non-Application Layer Protocol
Multi-hop Proxy

MITRE Threat Groups

APT18
APT19
APT28
APT29
APT3
APT32
APT33
APT37
APT38
APT41
BRONZE BUTLER
Cobalt Group
Dark Caracal
Dragonfly 2.0
FIN4
FIN6
FIN7
FIN8
Gamaredon Group
Honeybee
Ke3chang
Kimsuky
Lazarus Group
Machete
Magic Hound
Night Dragon
OilRig
Orangeworm
PLATINUM
Rancor
SilverTerrier
Soft Cell
Stealth Falcon
Threat Group-3390
Thrip
Turla
WIRTE

Kill Chain Phases

Command and Control

Data Sources

Network Communication

   How to Implement

This use case requires you to index data from a source that does protocol analysis to determine the type of network traffic being used, regardless of the port associated with the traffic. This data is often available from next-generation firewalls or other traffic analysis tools such as Splunk Stream or Bro.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will to verify with the system owner that the traffic generated was by them. Verify with corporate policies if TOR is allowed in your environment.

   Help

Basic TOR Traffic Detection Help

The anonymity of TOR makes it the perfect place for hackers who want to anonymize command and control or network connections. Many forms of ransomware install a TOR client to facilitate their payment via bitcoin. This use case analyzes your network traffic data to identify hosts that are generating TOR traffic within your environment.

SPL for Basic TOR Traffic Detection

Demo Data

First we load our NGFW demo data
We filter for where the firewall detects the presence of tor, and where we know the source_ip involved.
Finally we put everything in a table so that it's easy to use.

Live Data

First we load our NGFW data (we include many different options here -- you should specify the index and sourcetype for the device that exists in your environment. Then we filter for where the firewall detects the presence of tor, and where we know the source_ip involved.
Finally we put everything in a table so that it's easy to use.

Accelerated Data

First we load our NGFW data. Then we filter for where the firewall detects the presence of tor, and where we know the source_ip, dest_ip, and dest_port involved.
Then we rename to make our search more readable
Finally we put everything in a table so that it's easy to use.