does anyone know whty this rule by palo alto networks and by frack113 at Sigma
Integrated Rule Set is allowed?
title: Tor Client/Browser Execution
id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c
status: test
description: Detects the use of Tor or Tor-Browser to connect to onion routing networks
references:
- https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
author: frack113
date: 2022-02-20
modified: 2023-02-13
tags:
- attack.command-and-control
- attack.t1090.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\tor.exe'
- '\Tor Browser\Browser\firefox.exe'
condition: selection
falsepositives:
- Unknown
level: high
It has been analyzed several times by different AIs and the same result comes, privacy breach, it defeats the purpose of using tor because it notifies when people connecto to a .onion site, or may be someone could clarify it? Any comments or clarification is appreciated.