Rules Contributing to DNS Query to TOR Proxy Domain

The following rules are used to identify DNS queries to onion domains and proxy domains for TOR network. Any one or more of these will trigger the DNS Query to TOR Proxy Domain Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

DNS Query to TOR Proxy Domain

DNS query to onion domains and proxy domains for TOR network.

More details

Rule ID

dns_1

Query

{'selection_domain': {'DnsQuestionName|endswith': ['.onion', '.tor2web.org', '.tor2web.com', '.torlink.co', '.onion.to', '.onion.ink', '.onion.cab', '.onion.nu', '.onion.link', '.onion.it', '.onion.city', '.onion.direct', '.onion.top', '.onion.casa', '.onion.plus', '.onion.rip', '.onion.dog', '.tor2web.fi', '.tor2web.blutmagie.de', '.onion.sh', '.onion.lu', '.onion.pet', '.t2w.pw', '.tor2web.ae.org', '.tor2web.io', '.tor2web.xyz', '.onion.lt', '.s1.tor-gateways.de', '.s2.tor-gateways.de', '.s3.tor-gateways.de', '.s4.tor-gateways.de', '.s5.tor-gateways.de', '.hiddenservice.net']}, 'condition': 'selection_domain'}

Log Source

Stellar Cyber Network Events configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0010, T1048, TA0011, T1090.003

References

https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml

Severity

Suppression Logic Based On

srcip
dns.question.name
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2024/05/15	medium	Legit access to TOR network. TOR network is rarely used for normal daily use unless your services have special anonymity needs.