Processes communicating with known Tor relay IP addresses may indicate adversary attempts to exfiltrate data or establish covert command and control channels, as Tor relays are commonly used to mask malicious network activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert communication channels and mitigate advanced persistent threat (APT) activities.
KQL Query
let TorRelayData = (
externaldata (Nickname:string,Fingerprint:string,EntryAddress:string,IPAddress:string,Port:string,AddressType:string,Hostname:string,CountryCode:string,IsRunning:bool,LastChangedIPData:string)
[h@'https://torinfo.blob.core.windows.net/public/TorRelayIPs.csv'] with (ignoreFirstRecord=true,format="csv")
| where AddressType == "IPv4"
);
TorRelayData
| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
| join kind=inner (DeviceInfo | distinct DeviceId, PublicIP) on DeviceId
| project Timestamp, DeviceId, LocalPublicIP = PublicIP, LocalIP, RemoteIP, TorIP = IPAddress, Hostname, CountryCode, ActionType, InitiatingProcessFileName, InitiatingProcessFolderPath
id: 26be4a5f-7e6f-4c2e-967d-467bddcbb51a
name: DetectTorRelayConnectivity
description: |
This advanced hunting query detects processes communicating with known Tor relay IP addresses.
The public URL in the query is updated daily at 12PM and 12AM UTC.
CSV source is the Tor Project API, obtained with: https://github.com/Dylan-J/Tor-Project-Statistics
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- DeviceInfo
tactics:
- Discovery
- Command and control
query: |
let TorRelayData = (
externaldata (Nickname:string,Fingerprint:string,EntryAddress:string,IPAddress:string,Port:string,AddressType:string,Hostname:string,CountryCode:string,IsRunning:bool,LastChangedIPData:string)
[h@'https://torinfo.blob.core.windows.net/public/TorRelayIPs.csv'] with (ignoreFirstRecord=true,format="csv")
| where AddressType == "IPv4"
);
TorRelayData
| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
| join kind=inner (DeviceInfo | distinct DeviceId, PublicIP) on DeviceId
| project Timestamp, DeviceId, LocalPublicIP = PublicIP, LocalIP, RemoteIP, TorIP = IPAddress, Hostname, CountryCode, ActionType, InitiatingProcessFileName, InitiatingProcessFolderPath
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System Maintenance or Patching Tools Communicating with Tor Relays
Description: Tools like Windows Update or Ansible may temporarily communicate with external servers during patching or configuration updates, which could include Tor relay IPs if the IP list is outdated or misconfigured.
Filter/Exclusion: Exclude processes associated with known patching tools (e.g., svchost.exe for Windows Update, ansible for Ansible jobs) using process name or parent process context.
Scenario: Scheduled Job for Network Monitoring or Security Tool Communication
Description: Tools like Nmap, Wireshark, or tcpdump may be used in scheduled jobs to monitor network traffic, which could inadvertently connect to Tor relay IPs if the IP list is not properly filtered.
Filter/Exclusion: Exclude processes associated with network monitoring tools using process name or command-line arguments (e.g., nmap, tcpdump, wireshark).
Scenario: Admin Task Involving External IP Address Testing
Description: Administrators may use tools like curl, telnet, or nc (netcat) to test connectivity to external IP addresses, including those that happen to be listed as Tor relays.
Filter/Exclusion: Exclude processes initiated by admin accounts or those with command-line arguments containing test, ping, or connect using process command-line or user context.
Scenario: Legitimate Cloud Provider or CDN IP Address Misclassified as Tor Relay
Description: Some cloud providers or CDNs may have IP ranges that overlap with Tor relay ranges, leading to false positives when legitimate traffic is detected.
Filter/Exclusion: Exclude traffic from known cloud providers (e.g., AWS, Azure, Google Cloud) using source IP geolocation or IP range filters.
**Scenario: False