DNS TOR Proxies

calendar Oct 1, 2025 · attack.exfiltration attack.t1048  ·
Share on: linkedin copy

Identifies IPs performing DNS lookups associated with common Tor proxies.

Sigma rule (View on GitHub)

 1title: DNS TOR Proxies
 2id: a8322756-015c-42e7-afb1-436e85ed3ff5
 3related:
 4    - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
 5      type: similar
 6    - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
 7      type: similar
 8status: test
 9description: Identifies IPs performing DNS lookups associated with common Tor proxies.
10references:
11    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
12author: Saw Winn Naung , Azure-Sentinel
13date: 2021-08-15
14modified: 2025-09-12
15tags:
16    - attack.exfiltration
17    - attack.t1048
18logsource:
19    service: dns
20    product: zeek
21detection:
22    selection:
23        query|endswith:
24            - '.hiddenservice.net'
25            - '.onion.ca'
26            - '.onion.cab'
27            - '.onion.casa'
28            - '.onion.city'
29            - '.onion.direct'
30            - '.onion.dog'
31            - '.onion.glass'
32            - '.onion.gq'
33            - '.onion.guide'
34            - '.onion.in.net'
35            - '.onion.ink'
36            - '.onion.it'
37            - '.onion.link'
38            - '.onion.lt'
39            - '.onion.lu'
40            - '.onion.ly'
41            - '.onion.mn'
42            - '.onion.network'
43            - '.onion.nu'
44            - '.onion.pet'
45            - '.onion.plus'
46            - '.onion.pt'
47            - '.onion.pw'
48            - '.onion.rip'
49            - '.onion.sh'
50            - '.onion.si'
51            - '.onion.to'
52            - '.onion.top'
53            - '.onion.ws'
54            - '.onion'
55            - '.s1.tor-gateways.de'
56            - '.s2.tor-gateways.de'
57            - '.s3.tor-gateways.de'
58            - '.s4.tor-gateways.de'
59            - '.s5.tor-gateways.de'
60            - '.t2w.pw'
61            - '.tor2web.ae.org'
62            - '.tor2web.blutmagie.de'
63            - '.tor2web.com'
64            - '.tor2web.fi'
65            - '.tor2web.io'
66            - '.tor2web.org'
67            - '.tor2web.xyz'
68            - '.torlink.co'
69    condition: selection
70fields:
71    - clientip
72falsepositives:
73    - Unknown
74level: medium

References

Related rules

to-top