Query Tor Onion Address - DNS Client

Oct 1, 2025 · attack.command-and-control attack.t1090.003 ·

Detects DNS resolution of an .onion address related to Tor routing networks

Sigma rule (View on GitHub)

 1title: Query Tor Onion Address - DNS Client
 2id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
 3related:
 4    - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
 5      type: similar
 6    - id: a8322756-015c-42e7-afb1-436e85ed3ff5
 7      type: similar
 8status: test
 9description: Detects DNS resolution of an .onion address related to Tor routing networks
10references:
11    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
12    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-02-20
15modified: 2025-09-12
16tags:
17    - attack.command-and-control
18    - attack.t1090.003
19logsource:
20    product: windows
21    service: dns-client
22    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
23detection:
24    selection:
25        EventID: 3008
26        QueryName|endswith:
27            - '.hiddenservice.net'
28            - '.onion.ca'
29            - '.onion.cab'
30            - '.onion.casa'
31            - '.onion.city'
32            - '.onion.direct'
33            - '.onion.dog'
34            - '.onion.glass'
35            - '.onion.gq'
36            - '.onion.guide'
37            - '.onion.in.net'
38            - '.onion.ink'
39            - '.onion.it'
40            - '.onion.link'
41            - '.onion.lt'
42            - '.onion.lu'
43            - '.onion.ly'
44            - '.onion.mn'
45            - '.onion.network'
46            - '.onion.nu'
47            - '.onion.pet'
48            - '.onion.plus'
49            - '.onion.pt'
50            - '.onion.pw'
51            - '.onion.rip'
52            - '.onion.sh'
53            - '.onion.si'
54            - '.onion.to'
55            - '.onion.top'
56            - '.onion.ws'
57            - '.onion'
58            - '.s1.tor-gateways.de'
59            - '.s2.tor-gateways.de'
60            - '.s3.tor-gateways.de'
61            - '.s4.tor-gateways.de'
62            - '.s5.tor-gateways.de'
63            - '.t2w.pw'
64            - '.tor2web.ae.org'
65            - '.tor2web.blutmagie.de'
66            - '.tor2web.com'
67            - '.tor2web.fi'
68            - '.tor2web.io'
69            - '.tor2web.org'
70            - '.tor2web.xyz'
71            - '.torlink.co'
72    condition: selection
73falsepositives:
74    - Unlikely
75level: high

References

Detecting Tor use with LogPoint

CISA along with FBI released an advisory on Tor recommend that organizations assess their risk of compromise via Tor and take appropriate mitigations to block or closely monitor network traffic to and from Tor exit nodes. >>>

Read More
Azure-Sentinel/Detections/ASimDNS/imDNS_TorProxies.yaml at f99542b94afe0ad2f19a82cc08262e7ac8e1428e · Azure/Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel

Read More

Query Tor Onion Address - DNS Client

Sigma rule (View on GitHub)

References

Detecting Tor use with LogPoint

Azure-Sentinel/Detections/ASimDNS/imDNS_TorProxies.yaml at f99542b94afe0ad2f19a82cc08262e7ac8e1428e · Azure/Azure-Sentinel

Related rules