Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

DNS TOR Proxies

Identifies IPs performing DNS lookups associated with common Tor proxies.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Saw Winn Naung, Azure-SentinelCreated Sun Aug 15Updated Fri Sep 12a8322756-015c-42e7-afb1-436e85ed3ff5network
Log Source
Zeek (Bro)dns
ProductZeek (Bro)← raw: zeek
Servicedns← raw: dns
Detection Logic
Detection Logic1 selector
detection:
    selection:
        query|endswith:
            - '.hiddenservice.net'
            - '.onion.ca'
            - '.onion.cab'
            - '.onion.casa'
            - '.onion.city'
            - '.onion.direct'
            - '.onion.dog'
            - '.onion.glass'
            - '.onion.gq'
            - '.onion.guide'
            - '.onion.in.net'
            - '.onion.ink'
            - '.onion.it'
            - '.onion.link'
            - '.onion.lt'
            - '.onion.lu'
            - '.onion.ly'
            - '.onion.mn'
            - '.onion.network'
            - '.onion.nu'
            - '.onion.pet'
            - '.onion.plus'
            - '.onion.pt'
            - '.onion.pw'
            - '.onion.rip'
            - '.onion.sh'
            - '.onion.si'
            - '.onion.to'
            - '.onion.top'
            - '.onion.ws'
            - '.onion'
            - '.s1.tor-gateways.de'
            - '.s2.tor-gateways.de'
            - '.s3.tor-gateways.de'
            - '.s4.tor-gateways.de'
            - '.s5.tor-gateways.de'
            - '.t2w.pw'
            - '.tor2web.ae.org'
            - '.tor2web.blutmagie.de'
            - '.tor2web.com'
            - '.tor2web.fi'
            - '.tor2web.io'
            - '.tor2web.org'
            - '.tor2web.xyz'
            - '.torlink.co'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

DNS Query Tor .Onion Address - Sysmon

Detects DNS queries to an ".onion" address related to Tor routing networks

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

Query Tor Onion Address - DNS Client

Detects DNS resolution of an .onion address related to Tor routing networks

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
a8322756-015c-42e7-afb1-436e85ed3ff5
Status
test
Level
medium
Type
Detection
Created
Sun Aug 15
Modified
Fri Sep 12
Author
Saw Winn Naung, Azure-Sentinel
Path
rules/network/zeek/zeek_dns_torproxy.yml
Raw Tags
attack.exfiltrationattack.t1048
View on GitHub