Query Tor Onion Address - DNS Client
Detects DNS resolution of an .onion address related to Tor routing networks
Sigma rule (View on GitHub)
1title: Query Tor Onion Address - DNS Client
2id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
3related:
4 - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
5 type: similar
6status: test
7description: Detects DNS resolution of an .onion address related to Tor routing networks
8references:
9 - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-02-20
12tags:
13 - attack.command-and-control
14 - attack.t1090.003
15logsource:
16 product: windows
17 service: dns-client
18 definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
19detection:
20 selection:
21 EventID: 3008
22 QueryName|contains: '.onion'
23 condition: selection
24falsepositives:
25 - Unlikely
26level: high
References
-
CISA along with FBI released an advisory on Tor recommend that organizations assess their risk of compromise via Tor and take appropriate mitigations to block or closely monitor network traffic to and from Tor exit nodes. >>>
Read More
Related rules
- DNS Query Tor .Onion Address - Sysmon
- Tor Client/Browser Execution
- ADSI-Cache File Creation By Uncommon Tool
- APT User Agent
- APT40 Dropbox Tool User Agent