Detectionhightest
DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsDNS Query
ProductWindows← raw: windows
CategoryDNS Query← raw: dns_query
DNS lookup events generated by endpoint monitoring tools.
Detection Logic
Detection Logic1 selector
detection:
selection:
QueryName|endswith:
- '.hiddenservice.net'
- '.onion.ca'
- '.onion.cab'
- '.onion.casa'
- '.onion.city'
- '.onion.direct'
- '.onion.dog'
- '.onion.glass'
- '.onion.gq'
- '.onion.ink'
- '.onion.it'
- '.onion.link'
- '.onion.lt'
- '.onion.lu'
- '.onion.nu'
- '.onion.pet'
- '.onion.plus'
- '.onion.rip'
- '.onion.sh'
- '.onion.to'
- '.onion.top'
- '.onion'
- '.s1.tor-gateways.de'
- '.s2.tor-gateways.de'
- '.s3.tor-gateways.de'
- '.s4.tor-gateways.de'
- '.s5.tor-gateways.de'
- '.t2w.pw'
- '.tor2web.ae.org'
- '.tor2web.blutmagie.de'
- '.tor2web.com'
- '.tor2web.fi'
- '.tor2web.io'
- '.tor2web.org'
- '.tor2web.xyz'
- '.torlink.co'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Sub-techniques
Related Rules
SimilarDetectionhigh
Query Tor Onion Address - DNS Client
Detects DNS resolution of an .onion address related to Tor routing networks
Detects similar activity. Both rules may fire on overlapping events.
SimilarDetectionmedium
DNS TOR Proxies
Identifies IPs performing DNS lookups associated with common Tor proxies.
Detects similar activity. Both rules may fire on overlapping events.
Rule Metadata
Rule ID
b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
Status
test
Level
high
Type
Detection
Created
Sun Feb 20
Modified
Fri Sep 12
Author
Path
rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml
Raw Tags
attack.command-and-controlattack.t1090.003