DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
Sigma rule (View on GitHub)
1title: DNS Query Tor .Onion Address - Sysmon
2id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
3related:
4 - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
5 type: similar
6status: test
7description: Detects DNS queries to an ".onion" address related to Tor routing networks
8references:
9 - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
10author: frack113
11date: 2022-02-20
12modified: 2023-09-18
13tags:
14 - attack.command-and-control
15 - attack.t1090.003
16logsource:
17 product: windows
18 category: dns_query
19detection:
20 selection:
21 QueryName|contains: '.onion'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
CISA along with FBI released an advisory on Tor recommend that organizations assess their risk of compromise via Tor and take appropriate mitigations to block or closely monitor network traffic to and from Tor exit nodes. >>>
Read More
Related rules
- Query Tor Onion Address - DNS Client
- Tor Client/Browser Execution
- ADSI-Cache File Creation By Uncommon Tool
- APT User Agent
- APT40 Dropbox Tool User Agent