Detection rules › Kusto Query Language

DNS events related to ToR proxies (ASIM DNS Schema)

Author: Yaron Fruchtmann
Source: upstream

'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema'

MITRE ATT&CK coverage

Tactic	Techniques
Exfiltration	`T1048` Exfiltration Over Alternative Protocol

Event coverage

Provider	Event ID	Title
Sysmon	22	DNSEvent (DNS query)

Stages and Predicates

Stage 1: `source`

_Im_Dns

DNS events related to ToR proxies (ASIM DNS Schema)

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: `source`

Stage 2: `extend`

Stage 3: `extend`

Stage 4: `project-away`

Keyboard Shortcuts

DNS events related to ToR proxies (ASIM DNS Schema)

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: extend

Stage 3: extend

Stage 4: project-away

Stage 1: `source`

Stage 2: `extend`

Stage 3: `extend`

Stage 4: `project-away`