Detection rules › Sigma
DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1090.003 Proxy: Multi-hop Proxy |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: selection
or:
QueryName|endswith: .hiddenservice.net
QueryName|endswith: .onion
QueryName|endswith: .onion.ca
QueryName|endswith: .onion.cab
QueryName|endswith: .onion.casa
QueryName|endswith: .onion.city
QueryName|endswith: .onion.direct
QueryName|endswith: .onion.dog
QueryName|endswith: .onion.glass
QueryName|endswith: .onion.gq
QueryName|endswith: .onion.ink
QueryName|endswith: .onion.it
QueryName|endswith: .onion.link
QueryName|endswith: .onion.lt
QueryName|endswith: .onion.lu
QueryName|endswith: .onion.nu
QueryName|endswith: .onion.pet
QueryName|endswith: .onion.plus
QueryName|endswith: .onion.rip
QueryName|endswith: .onion.sh
QueryName|endswith: .onion.to
QueryName|endswith: .onion.top
QueryName|endswith: .s1.tor-gateways.de
QueryName|endswith: .s2.tor-gateways.de
QueryName|endswith: .s3.tor-gateways.de
QueryName|endswith: .s4.tor-gateways.de
QueryName|endswith: .s5.tor-gateways.de
QueryName|endswith: .t2w.pw
QueryName|endswith: .tor2web.ae.org
QueryName|endswith: .tor2web.blutmagie.de
QueryName|endswith: .tor2web.com
QueryName|endswith: .tor2web.fi
QueryName|endswith: .tor2web.io
QueryName|endswith: .tor2web.org
QueryName|endswith: .tor2web.xyz
QueryName|endswith: .torlink.co
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
QueryName | ends_with |
|