Tor Client/Browser Execution

calendar Aug 12, 2024 · attack.command-and-control attack.t1090.003  ·
Share on: linkedin copy

Detects the use of Tor or Tor-Browser to connect to onion routing networks

Sigma rule (View on GitHub)

 1title: Tor Client/Browser Execution
 2id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c
 3status: test
 4description: Detects the use of Tor or Tor-Browser to connect to onion routing networks
 5references:
 6    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
 7author: frack113
 8date: 2022-02-20
 9modified: 2023-02-13
10tags:
11    - attack.command-and-control
12    - attack.t1090.003
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith:
19            - '\tor.exe'
20            - '\Tor Browser\Browser\firefox.exe'
21    condition: selection
22falsepositives:
23    - Unknown
24level: high

References

  • Detecting Tor use with LogPoint

    CISA along with FBI released an advisory on Tor recommend that organizations assess their risk of compromise via Tor and take appropriate mitigations to block or closely monitor network traffic to and from Tor exit nodes. >>>


    Read More

Related rules

to-top