title: DNS TOR Proxies
id: a8322756-015c-42e7-afb1-436e85ed3ff5
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
status: experimental
references:
  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml
date: 2021/08/15
author: Saw Winn Naung , Azure-Sentinel
level: medium
logsource: 
    service: dns  
    product: zeek 
tags:
  - attack.t1048
detection:
    selection:
        query:
            - 'tor2web.org'
            - 'tor2web.com'
            - 'torlink.co'
            - 'onion.to'
            - 'onion.ink'
            - 'onion.cab'
            - 'onion.nu'
            - 'onion.link'
            - 'onion.it'
            - 'onion.city'
            - 'onion.direct'
            - 'onion.top'
            - 'onion.casa'
            - 'onion.plus'
            - 'onion.rip'
            - 'onion.dog'
            - 'tor2web.fi'
            - 'tor2web.blutmagie.de'
            - 'onion.sh'
            - 'onion.lu'
            - 'onion.pet'
            - 't2w.pw'
            - 'tor2web.ae.org'
            - 'tor2web.io'
            - 'tor2web.xyz'
            - 'onion.lt'
            - 's1.tor-gateways.de'
            - 's2.tor-gateways.de'
            - 's3.tor-gateways.de'
            - 's4.tor-gateways.de'
            - 's5.tor-gateways.de'
            - 'hiddenservice.net'
    condition: selection
fields:
    - clientip