Suspicious processes (e.g., Tor clients, relays, unknown binaries) launch with sustained encrypted outbound traffic to known anonymity infrastructure (e.g., Tor, I2P), and may relay to additional internal systems via reverse proxying, ICMP tunneling, or socket forwarding.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Traffic Flow (DC0078) | dns:query | Outbound resolution to hidden service domains (e.g., `.onion`) |
| Field | Description |
|---|---|
| DomainCategory | Can be tuned to `.onion`, I2P, or suspicious CDN domains. |
| ProcessParent | Detect known-good vs. abnormal launching binaries (e.g., mshta spawning Tor). |
| ConnectionDuration | Threshold for persistent connections over known relay ports (e.g., 9050). |
Tools such as tor, nglite, proxychains, chisel, or custom daemons repeatedly initiate outbound sessions to multiple nodes before final destination. This behavior is abnormal for Linux services outside of VPN, monitoring, or CDN relay contexts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve for proxy tools |
| Network Traffic Flow (DC0078) | NSM:Flow | conn.log + ssl.log with Tor fingerprinting |
| Network Traffic Content (DC0085) | Netfilter/iptables | Forwarded packets log |
| Field | Description |
|---|---|
| ExecutablePath | Match known proxy tools, tuned for environment. |
| RelayCount | Detect outbound chaining behavior through >2 IPs in short succession. |
| ProtocolType | Allow filtering by ICMP, TCP/443, UDP for obfuscation channels. |
LaunchAgents or LaunchDaemons initiate persistent Tor or relay processes that make encrypted outbound connections. May be paired with sandbox bypasses or unsigned executables communicating over SOCKS proxies.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process, socket, and DNS logs |
| Network Connection Creation (DC0082) | macos:osquery | process_events + launchd |
| Network Traffic Flow (DC0078) | macos:unifiedlog | forwarded encrypted traffic |
| Field | Description |
|---|---|
| LaunchdLabel | Regex for masking patterns in LaunchAgents with proxy behavior. |
| UnsignedBinary | Allow for exceptions for known unsigned binaries. |
| SOCKSPortUsage | Monitor local 9050/9150 activity and rerouted system traffic. |
Outbound encrypted traffic initiated from hypervisor shell or via VM backdoor mechanisms to relays in VPS infrastructure, especially if traversing multiple nodes before reaching Internet destination. Packet captures or firewall logs show non-VM communication paths.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | esxi:esxupdate | /var/log/esxupdate.log or /var/log/vmksummary.log |
| Network Traffic Flow (DC0078) | esxi:vmkernel | /var/log/vmkernel.log |
| Network Traffic Content (DC0085) | NSM:Flow | Relay patterns across IP hops |
| Field | Description |
|---|---|
| HopCount | Threshold on number of IPs contacted in sequence without DNS resolution. |
| ShellAccess | Flag if relay communication initiated by ESXi shell or unknown VM agent. |
| VPSIPRange | Filter for known Tor/VPS egress networks. |
Encrypted traffic or ICMP tunneling from border routers to internal routers or unknown external IPs. Forwarded traffic shows consistent hop-to-hop relaying without matching configured VPN or expected network topology.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | NSM:Flow | Relayed session pathing (multi-hop) |
| Network Traffic Content (DC0085) | NSM:Firewall | Outbound encrypted traffic |
| Firmware Modification (DC0004) | networkdevice:syslog | Custom firmware or routing changes |
| Field | Description |
|---|---|
| VPNConfigWhitelist | Define allowed internal router communication paths. |
| ICMPPayloadEntropy | High entropy ICMP payloads may indicate tunneling activity. |
| RelayChainSignature | Track known multi-hop pattern signatures or port hopping techniques. |