EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Query Tor Onion Address - DNS Client

Detects DNS resolution of an .onion address related to Tor routing networks

MITRE ATT&CK

T1090.003
command-and-control

Detection Query

selection:
  EventID: 3008
  QueryName|endswith:
    - .hiddenservice.net
    - .onion.ca
    - .onion.cab
    - .onion.casa
    - .onion.city
    - .onion.direct
    - .onion.dog
    - .onion.glass
    - .onion.gq
    - .onion.guide
    - .onion.in.net
    - .onion.ink
    - .onion.it
    - .onion.link
    - .onion.lt
    - .onion.lu
    - .onion.ly
    - .onion.mn
    - .onion.network
    - .onion.nu
    - .onion.pet
    - .onion.plus
    - .onion.pt
    - .onion.pw
    - .onion.rip
    - .onion.sh
    - .onion.si
    - .onion.to
    - .onion.top
    - .onion.ws
    - .onion
    - .s1.tor-gateways.de
    - .s2.tor-gateways.de
    - .s3.tor-gateways.de
    - .s4.tor-gateways.de
    - .s5.tor-gateways.de
    - .t2w.pw
    - .tor2web.ae.org
    - .tor2web.blutmagie.de
    - .tor2web.com
    - .tor2web.fi
    - .tor2web.io
    - .tor2web.org
    - .tor2web.xyz
    - .torlink.co
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-02-20

Data Sources

windowsdns-client

Platforms

windows

References

Tags

attack.command-and-controlattack.t1090.003
Raw Content
title: Query Tor Onion Address - DNS Client
id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
related:
    - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
      type: similar
    - id: a8322756-015c-42e7-afb1-436e85ed3ff5
      type: similar
status: test
description: Detects DNS resolution of an .onion address related to Tor routing networks
references:
    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-20
modified: 2025-09-12
tags:
    - attack.command-and-control
    - attack.t1090.003
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection:
        EventID: 3008
        QueryName|endswith:
            - '.hiddenservice.net'
            - '.onion.ca'
            - '.onion.cab'
            - '.onion.casa'
            - '.onion.city'
            - '.onion.direct'
            - '.onion.dog'
            - '.onion.glass'
            - '.onion.gq'
            - '.onion.guide'
            - '.onion.in.net'
            - '.onion.ink'
            - '.onion.it'
            - '.onion.link'
            - '.onion.lt'
            - '.onion.lu'
            - '.onion.ly'
            - '.onion.mn'
            - '.onion.network'
            - '.onion.nu'
            - '.onion.pet'
            - '.onion.plus'
            - '.onion.pt'
            - '.onion.pw'
            - '.onion.rip'
            - '.onion.sh'
            - '.onion.si'
            - '.onion.to'
            - '.onion.top'
            - '.onion.ws'
            - '.onion'
            - '.s1.tor-gateways.de'
            - '.s2.tor-gateways.de'
            - '.s3.tor-gateways.de'
            - '.s4.tor-gateways.de'
            - '.s5.tor-gateways.de'
            - '.t2w.pw'
            - '.tor2web.ae.org'
            - '.tor2web.blutmagie.de'
            - '.tor2web.com'
            - '.tor2web.fi'
            - '.tor2web.io'
            - '.tor2web.org'
            - '.tor2web.xyz'
            - '.torlink.co'
    condition: selection
falsepositives:
    - Unlikely
level: high