DNS Query Tor .Onion Address - Sysmon

Detects DNS queries to an ".onion" address related to Tor routing networks

Sigma rule (View on GitHub)

 1title: DNS Query Tor .Onion Address - Sysmon
 2id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
 3related:
 4    - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
 5      type: similar
 6    - id: a8322756-015c-42e7-afb1-436e85ed3ff5
 7      type: similar
 8status: test
 9description: Detects DNS queries to an ".onion" address related to Tor routing networks
10references:
11    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
12    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
13author: frack113
14date: 2022-02-20
15modified: 2025-09-12
16tags:
17    - attack.command-and-control
18    - attack.t1090.003
19logsource:
20    product: windows
21    category: dns_query
22detection:
23    selection:
24        QueryName|endswith:
25            - '.hiddenservice.net'
26            - '.onion.ca'
27            - '.onion.cab'
28            - '.onion.casa'
29            - '.onion.city'
30            - '.onion.direct'
31            - '.onion.dog'
32            - '.onion.glass'
33            - '.onion.gq'
34            - '.onion.ink'
35            - '.onion.it'
36            - '.onion.link'
37            - '.onion.lt'
38            - '.onion.lu'
39            - '.onion.nu'
40            - '.onion.pet'
41            - '.onion.plus'
42            - '.onion.rip'
43            - '.onion.sh'
44            - '.onion.to'
45            - '.onion.top'
46            - '.onion'
47            - '.s1.tor-gateways.de'
48            - '.s2.tor-gateways.de'
49            - '.s3.tor-gateways.de'
50            - '.s4.tor-gateways.de'
51            - '.s5.tor-gateways.de'
52            - '.t2w.pw'
53            - '.tor2web.ae.org'
54            - '.tor2web.blutmagie.de'
55            - '.tor2web.com'
56            - '.tor2web.fi'
57            - '.tor2web.io'
58            - '.tor2web.org'
59            - '.tor2web.xyz'
60            - '.torlink.co'
61    condition: selection
62falsepositives:
63    - Unknown
64level: high

References

Related rules

to-top