Tool
Vendor-native detections for T1090
14 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
14 shown of 14google_safebrowsing_file_contacts_tor_exit_node
A malicious file contacting a known Tor Exit Node.
Show query
rule google_safebrowsing_file_contacts_tor_exit_node {
meta:
author = "Google Cloud Security"
description = "A malicious file contacting a known Tor Exit Node."
rule_id = "mr_f6733319-50b3-477e-bad6-96bb4c14c632"
rule_name = "Google Safebrowsing File Contacts Tor Exit Node"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
data_source = "microsoft defender atp, crowdstrike, microsoft sysmon"
severity = "Critical"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.principal.process.file.sha256 != ""
$network.principal.process.file.sha256 = $file_hash
$network.principal.hostname = $hostname
$network.target.ip = $ip
// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT"
$safebrowse.graph.metadata.threat.category = "SOFTWARE_MALICIOUS"
$safebrowse.graph.entity.file.sha256 = $file_hash
// Tor IP listing provided by GCTI Feed
$gcti.graph.entity.artifact.ip = $ip
$gcti.graph.metadata.entity_type = "IP_ADDRESS"
$gcti.graph.metadata.source_type = "GLOBAL_CONTEXT"
$gcti.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$gcti.graph.metadata.product_name = "GCTI Feed"
match:
$hostname over 1h
outcome:
$risk_score = 95
$event_count = count_distinct($network.metadata.id)
//added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
//$target_process_pid = array_distinct($network.target.process.pid)
$target_process_command_line = array_distinct($network.target.process.command_line)
$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
$target_user_userid = array_distinct($network.target.user.userid)
condition:
$network and $gcti and $safebrowse
}vt_relationships_file_contacts_tor_ip
Alert on known Hash contacting Tor IP with VT Relationships.
Show query
rule vt_relationships_file_contacts_tor_ip {
meta:
author = "Google Cloud Security"
description = "Alert on known Hash contacting Tor IP with VT Relationships."
rule_id = "mr_a6f8b114-8fdb-4f39-8820-8961dcbb1079"
rule_name = "VT Relationships File Contacts Tor IP"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
tags = "vt, tor"
data_source = "microsoft defender atp"
severity = "Critical"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.principal.process.file.sha256 = $file_hash
$network.target.ip = $ip
$network.principal.hostname = $hostname
// Uses VirusTotal integration via entity graph, this section maps to principal process file hash
$vt.graph.metadata.entity_type = "FILE"
$vt.graph.metadata.source_type = "GLOBAL_CONTEXT"
$vt.graph.metadata.vendor_name = "VirusTotal"
$vt.graph.metadata.product_name = "VirusTotal Relationships"
$vt.graph.entity.file.sha256 = $file_hash
// Uses VirusTotal integration via entity graph, this section maps the hash to the ip address it contacts
$vt.graph.relations.entity_type = "IP_ADDRESS"
$vt.graph.relations.relationship = "CONTACTS"
$vt.graph.relations.entity.ip = $ip
// Tor IP listing provided by GCTI Feed
$gcti.graph.entity.artifact.ip = $ip
$gcti.graph.metadata.entity_type = "IP_ADDRESS"
$gcti.graph.metadata.source_type = "GLOBAL_CONTEXT"
$gcti.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$gcti.graph.metadata.product_name = "GCTI Feed"
match:
$hostname over 5m
outcome:
$risk_score = max(
if($gcti.graph.metadata.threat.confidence = "HIGH_CONFIDENCE", 70) +
// Unauthorized target geographies
if($network.target.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$event_count = count_distinct($network.metadata.id)
$count_file_hash = count_distinct($file_hash)
$count_tor_ips = count_distinct($ip)
$tor_geoip_country = array_distinct($network.target.ip_geo_artifact.location.country_or_region)
$tor_geoip_state = array_distinct($network.target.ip_geo_artifact.location.state)
// added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
//$target_process_pid = array_distinct($network.target.process.pid)
//$target_process_command_line = array_distinct($network.target.process.command_line)
//$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
//$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
//$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
//$target_user_userid = array_distinct($network.target.user.userid)
$target_url = array_distinct($network.target.url)
condition:
$network and $vt and $gcti
}aws_guardduty_tor_network_activity_detected
Amazon GuardDuty detects Tor Network activity in an AWS account.
Show query
rule aws_guardduty_tor_network_activity_detected {
meta:
author = "Google Cloud Security"
description = "Amazon GuardDuty detects Tor Network activity in an AWS account."
rule_id = "mr_abbc8f85-d4a3-4579-b444-19e6944f49d1"
rule_name = "AWS GuardDuty Tor Network Activity Detected"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "Proxy: Multi-hop Proxy"
mitre_attack_url = "https://attack.mitre.org/techniques/T1090/003/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS GuardDuty"
platform = "AWS"
severity = "High"
priority = "High"
events:
$guardduty.metadata.vendor_name = "AMAZON"
$guardduty.metadata.product_name = "AWS GuardDuty"
$guardduty.metadata.product_event_type = /TorIPCaller|TorRelay|TorClient/
//Filter out sample findings
$guardduty.security_result.about.labels["Sample"] != "true"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Command and Control"
$mitre_attack_technique = "Proxy: Multi-hop Proxy"
$mitre_attack_technique_id = "T1090.003"
$event_count = count_distinct($guardduty.metadata.id)
$principal_ip = array_distinct($guardduty.principal.ip)
$principal_ip_country = array_distinct($guardduty.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($guardduty.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $guardduty.principal.user.user_display_name
$aws_region = $guardduty.target.location.name
$target_resource_name = $guardduty.target.resource.name
$target_resource_product_object_id = $guardduty.target.resource.product_object_id
$security_result_summary = array_distinct($guardduty.security_result.summary)
$security_result_description = array_distinct($guardduty.security_result.description)
$security_result_severity = array_distinct($guardduty.security_result.severity)
$security_result_severity_details = array_distinct($guardduty.security_result.severity_details)
$metadata_product_event_type = array_distinct($guardduty.metadata.product_event_type)
condition:
$guardduty
}gcti_benign_binaries_contacts_tor_exit_node
Alert on Benign Binary contacting a TOR IP
Show query
rule gcti_benign_binaries_contacts_tor_exit_node {
meta:
author = "Google Cloud Security"
description = "Alert on Benign Binary contacting a TOR IP"
rule_id = "mr_8bb13cf7-d66b-41f2-9bbc-0a1884a77f70"
rule_name = "GCTI Benign Binaries Contacts Tor Exit Node"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
tags = "tor, benign binaries"
data_source = "crowdstrike"
severity = "High"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.principal.process.file.sha256 = $benign_hash
$network.target.ip = $ip
// Benign Files provided by GCTI Feed
$gcti_feed.graph.entity.file.sha256 = $benign_hash
$gcti_feed.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$gcti_feed.graph.metadata.product_name = "GCTI Feed"
$gcti_feed.graph.metadata.entity_type = "FILE"
$gcti_feed.graph.metadata.threat.threat_feed_name = "Benign Binaries"
$gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Tor IP listing provided by GCTI Feed
$tor.graph.entity.artifact.ip = $ip
$tor.graph.metadata.entity_type = "IP_ADDRESS"
$tor.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$tor.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$tor.graph.metadata.product_name = "GCTI Feed"
$tor.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ip over 5m
outcome:
$risk_score = max(
if($tor.graph.metadata.threat.confidence = "HIGH_CONFIDENCE", 70) +
// Unauthorized target geographies
if($network.target.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$event_count = count_distinct($network.metadata.id)
$tor_ip_country = array_distinct($network.target.ip_geo_artifact.location.country_or_region)
// added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
// Commented out target.ip because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($network.target.process.pid)
$target_process_command_line = array_distinct($network.target.process.command_line)
$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
//$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
$target_user_userid = array_distinct($network.target.user.userid)
condition:
$network and $gcti_feed and $tor
}gcti_tor_exit_nodes
Alert traffic destined for known Tor exit nodes
Show query
rule gcti_tor_exit_nodes {
meta:
author = "Google Cloud Security"
description = "Alert traffic destined for known Tor exit nodes"
rule_id = "mr_1d31f0e4-8cd9-4fc2-ae87-e91a435fe34f"
rule_name = "GCTI Tor Exit Nodes"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
tags = "tor"
data_source = "crowdstrike, microsoft sysmon, microsoft defender atp"
severity = "High"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.security_result.action = "ALLOW"
$network.target.ip = $ip
// Tor IP listing provided by GCTI Feed
$gcti_feed.graph.entity.artifact.ip = $ip
$gcti_feed.graph.metadata.entity_type = "IP_ADDRESS"
$gcti_feed.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti_feed.graph.metadata.product_name = "GCTI Feed"
$gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ip over 1h
outcome:
$risk_score = 85
$event_count = count_distinct($network.metadata.id)
$tor_geoip_country = array_distinct($network.target.ip_geo_artifact.location.country_or_region)
$tor_geoip_state = array_distinct($network.target.ip_geo_artifact.location.state)
// added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
// Commented out target.ip because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($network.target.process.pid)
$target_process_command_line = array_distinct($network.target.process.command_line)
$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
//$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
//$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
$target_user_userid = array_distinct($network.target.user.userid)
condition:
$network and $gcti_feed
}FortiGate SOCKS Traffic from an Unusual Process
This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
or act as an intermediary for network communications to a command and control server to avoid direct connections to their
infrastructure.
port_proxy_forwarding_T1090_cisa_report
Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4
Show query
rule port_proxy_forwarding_T1090_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4"
rule_id = "mr_4c6f2d66-ed6f-4dda-bd2f-7c545898468b"
rule_name = "MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, windows event log"
tactic = "TA0011"
technique = "T1090"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Low"
priority = "Low"
events:
(
$process.metadata.event_type = "PROCESS_LAUNCH" and
// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as needed
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*add.*v4tov4`) nocase
// For greater precision to align with the report, comment out the above line and uncomment the below line to incorporate exact ports referenced
//re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*add.*v4tov4.*port\=(9999|50100).*port\=(8443|1433)`) nocase
)
or
(
// Looks for the actual registry creation or modification that would accompany portproxy command executing
(
$process.metadata.event_type = "REGISTRY_CREATION" or
$process.metadata.event_type = "REGISTRY_MODIFICATION"
) and
$process.target.registry.registry_key = "HKLM\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4"
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}Cisco SA - Access to Anonymizer Services
This analytic detects attempts to access proxy-evasion or anonymizer services using Cisco Secure Access DNS and secure web proxy telemetry.
Users who reach anonymizer or proxy-evasion infrastructure are often trying to bypass corporate controls such as secure web gateway inspection, DLP monitoring, CASB visibility, and threat-detection systems. These services frequently establish encrypted tunnels that hide subsequent traffic from inspection.
Early identification helps security teams spot circumvention attempts before potential data exfiltration or follow-on malicious activity. Correlating DNS resolution and proxy session data strengthens confidence that access was intentional.
Show query
`cisco_secure_access_dns` action = "allowed" category= "*anonymizer*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime values(domain) as domain values(query) as query values(reply_code) as reply_code values(record_type) as record_type by src_ip src_external_ip user identity_type action category sourcetype | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_sa___access_to_anonymizer_services_filter`
TOR Traffic
The following analytic identifies allowed network traffic to The Onion Router (TOR), an anonymity network often exploited for malicious activities.
It leverages data from Next Generation Firewalls, using the Network_Traffic data model to detect traffic where the application is TOR and the action is allowed.
This activity is significant as TOR can be used to bypass conventional monitoring, facilitating hacking, data breaches, and illicit content dissemination.
If confirmed malicious, this could lead to unauthorized access, data exfiltration, and severe compliance violations, compromising the integrity and security of the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Network_Traffic WHERE
All_Traffic.app=tor
All_Traffic.action IN ("allowed", "allow")
BY All_Traffic.action All_Traffic.app All_Traffic.bytes
All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest
All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc
All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src
All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport
All_Traffic.user All_Traffic.vendor_product All_Traffic.rule
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`
| `tor_traffic_filter`Windows Devtunnels Execution
Detects the execution of Microsoft devtunnels.exe.
Microsoft Devtunnels is a feature within Visual Studio that allows developers to expose their local development environment to the internet via secure, temporary tunnels, enabling external access for testing webhooks, APIs, and other services.
While designed for legitimate development purposes, an attacker could exploit this feature to expose a compromised system or service to the internet, creating a covert communication channel that bypasses network security measures.
By using Dev Tunnels, the attacker can establish a remote connection to the compromised environment, facilitate data exfiltration, or maintain command-and-control communications while avoiding detection by blending their activities with legitimate development traffic.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.original_file_name="devtunnel.dll"
OR
Processes.process_name="devtunnel.exe"
by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
Processes.parent_process_name Processes.parent_process_exec Processes.action
Processes.dest Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name Processes.parent_process
Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_devtunnels_execution_filter`Windows Devtunnels Image Loaded
Detects image load events associated with Microsoft Devtunnels usage.
Microsoft Devtunnels is a feature within Visual Studio that allows developers to expose their local development environment to the internet via secure, temporary tunnels, enabling external access for testing webhooks, APIs, and other services.
While designed for legitimate development purposes, an attacker could exploit this feature to expose a compromised system or service to the internet, creating a covert communication channel that bypasses network security measures.
By using Dev Tunnels, the attacker can establish a remote connection to the compromised environment, facilitate data exfiltration, or maintain command-and-control communications while avoiding detection by blending their activities with legitimate development traffic.
Show query
`sysmon`
EventID=7
ImageLoaded="*\\AppData\\Local\\Temp\\.net\\devtunnel\\*"
ImageLoaded="*devtunnel.dll"
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer ImageLoaded EventID loaded_file loaded_file_path process_exec process_guid
process_hash process_id process_name process_path service_dll_signature_exists
service_dll_signature_verified signature_id user_id vendor_product
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_devtunnels_image_loaded_filter`Windows Proxy Via Netsh
The following analytic identifies the use of netsh.exe to configure a connection proxy, which can be leveraged for persistence by executing a helper DLL. It detects this activity by analyzing process creation events from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "portproxy" and "v4tov4" parameters. This activity is significant because it indicates potential unauthorized network configuration changes, which could be used to maintain persistence or redirect network traffic. If confirmed malicious, this could allow an attacker to maintain covert access or manipulate network communications, posing a significant security risk.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_netsh` Processes.process = "* portproxy *" Processes.process = "* v4tov4 *"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_proxy_via_netsh_filter`Windows Proxy Via Registry
The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path "*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`
Windows TOR Client Execution
The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity.
Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.
While TOR can be used for legitimate research and privacy purposes, its presence on enterprise endpoints is often unusual and should be investigated to determine intent, scope, and any associated malicious behavior.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.process_name = "tor.exe"
OR
(
Processes.process_path = "*\\BraveSoftware\\Brave-Browser*"
Processes.process_path = "*\\tor-*"
)
)
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_tor_client_execution_filter`
Showing 1-14 of 14