sigmaDRL-1.1from SigmaHQ/sigma
DNS TOR Proxies
Identifies IPs performing DNS lookups associated with common Tor proxies.
Quality
100
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/network/zeek/zeek_dns_torproxy.yml
title: DNS TOR Proxies
id: a8322756-015c-42e7-afb1-436e85ed3ff5
related:
- id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
type: similar
- id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
type: similar
status: test
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
references:
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: Saw Winn Naung , Azure-Sentinel
date: 2021-08-15
modified: 2025-09-12
tags:
- attack.exfiltration
- attack.t1048
logsource:
service: dns
product: zeek
detection:
selection:
query|endswith:
- '.hiddenservice.net'
- '.onion.ca'
- '.onion.cab'
- '.onion.casa'
- '.onion.city'
- '.onion.direct'
- '.onion.dog'
- '.onion.glass'
- '.onion.gq'
- '.onion.guide'
- '.onion.in.net'
- '.onion.ink'
- '.onion.it'
- '.onion.link'
- '.onion.lt'
- '.onion.lu'
- '.onion.ly'
- '.onion.mn'
- '.onion.network'
- '.onion.nu'
- '.onion.pet'
- '.onion.plus'
- '.onion.pt'
- '.onion.pw'
- '.onion.rip'
- '.onion.sh'
- '.onion.si'
- '.onion.to'
- '.onion.top'
- '.onion.ws'
- '.onion'
- '.s1.tor-gateways.de'
- '.s2.tor-gateways.de'
- '.s3.tor-gateways.de'
- '.s4.tor-gateways.de'
- '.s5.tor-gateways.de'
- '.t2w.pw'
- '.tor2web.ae.org'
- '.tor2web.blutmagie.de'
- '.tor2web.com'
- '.tor2web.fi'
- '.tor2web.io'
- '.tor2web.org'
- '.tor2web.xyz'
- '.torlink.co'
condition: selection
falsepositives:
- Unknown
level: medium