Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when a Windows host makes DNS queries to Tor onion addresses.

Strategy

This detection monitors DNS event logs where the query name contains “.onion” domains, which are specific to Tor hidden services. The detection looks for Event ID 3008 containing *.onion* in the QueryName field.

DNS queries for these addresses could indicate the presence of Tor software or specially configured applications attempting to access hidden services. This activity is notable as Tor can be leveraged by threat actors to hide command and control communications, or access underground marketplaces.

Triage & Response

• Identify the {{host}} system that made DNS queries to Tor onion addresses.
• Examine the specific .onion domain queried to determine if it’s associated with known malicious services.
• Determine which process initiated the DNS query by correlating with process creation events.
• Review user activity on the system around the time of the query to identify who was using the system.
• Check for installed Tor browser or other Tor-related software on the system.
• Examine network connections from the same host to identify if successful connections were established.
• Look for any data transfer patterns that might indicate exfiltration attempts.