DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
Sigma rule (View on GitHub)
1title: DNS Query Tor .Onion Address - Sysmon
2id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
3related:
4 - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
5 type: similar
6 - id: a8322756-015c-42e7-afb1-436e85ed3ff5
7 type: similar
8status: test
9description: Detects DNS queries to an ".onion" address related to Tor routing networks
10references:
11 - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
12 - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
13author: frack113
14date: 2022-02-20
15modified: 2025-09-12
16tags:
17 - attack.command-and-control
18 - attack.t1090.003
19logsource:
20 product: windows
21 category: dns_query
22detection:
23 selection:
24 QueryName|endswith:
25 - '.hiddenservice.net'
26 - '.onion.ca'
27 - '.onion.cab'
28 - '.onion.casa'
29 - '.onion.city'
30 - '.onion.direct'
31 - '.onion.dog'
32 - '.onion.glass'
33 - '.onion.gq'
34 - '.onion.ink'
35 - '.onion.it'
36 - '.onion.link'
37 - '.onion.lt'
38 - '.onion.lu'
39 - '.onion.nu'
40 - '.onion.pet'
41 - '.onion.plus'
42 - '.onion.rip'
43 - '.onion.sh'
44 - '.onion.to'
45 - '.onion.top'
46 - '.onion'
47 - '.s1.tor-gateways.de'
48 - '.s2.tor-gateways.de'
49 - '.s3.tor-gateways.de'
50 - '.s4.tor-gateways.de'
51 - '.s5.tor-gateways.de'
52 - '.t2w.pw'
53 - '.tor2web.ae.org'
54 - '.tor2web.blutmagie.de'
55 - '.tor2web.com'
56 - '.tor2web.fi'
57 - '.tor2web.io'
58 - '.tor2web.org'
59 - '.tor2web.xyz'
60 - '.torlink.co'
61 condition: selection
62falsepositives:
63 - Unknown
64level: high
References
Related rules
- Query Tor Onion Address - DNS Client
- Tor Client/Browser Execution
- Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
- Renamed Visual Studio Code Tunnel Execution
- Visual Studio Code Tunnel Execution