Tor Client/Browser Execution
Detects the use of Tor or Tor-Browser to connect to onion routing networks
Sigma rule (View on GitHub)
1title: Tor Client/Browser Execution
2id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c
3status: test
4description: Detects the use of Tor or Tor-Browser to connect to onion routing networks
5references:
6 - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
7author: frack113
8date: 2022-02-20
9modified: 2025-10-27
10tags:
11 - attack.command-and-control
12 - attack.t1090.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Description: 'Tor Browser'
19 - Product: 'Tor Browser'
20 - Image|endswith:
21 - '\tor.exe'
22 - '\Tor Browser\Browser\firefox.exe'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
27regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml
References
-
CISA along with FBI released an advisory on Tor recommend that organizations assess their risk of compromise via Tor and take appropriate mitigations to block or closely monitor network traffic to and from Tor exit nodes. >>>
Read More
Related rules
- DNS Query Tor .Onion Address - Sysmon
- Query Tor Onion Address - DNS Client
- Anydesk Temporary Artefact
- File Download From Browser Process Via Inline URL
- File Download with Headless Browser