Adversaries may use Tor or Meek to exfiltrate data or communicate covertly, leveraging encrypted networks to evade detection. SOC teams should proactively hunt for Tor-related activity in Azure Sentinel to identify potential command and control channels or data exfiltration attempts.
KQL Query
DeviceNetworkEvents
| where Timestamp < ago(3d) and InitiatingProcessFileName in~ ("tor.exe", "meek-client.exe")
// Returns MD5 hashes of files used by Tor, to enable you to block them.
// We count how prevalent each file is (by machines) and show examples for some of them (up to 5 machine names per hash).
| summarize MachineCount=dcount(DeviceName), MachineNames=makeset(DeviceName, 5) by InitiatingProcessMD5
| order by MachineCount desc
id: a0b19966-3b4d-45de-969c-ee5f1ef8c18a
name: Tor
description: |
This query looks for Tor client, or for a common Tor plugin called Meek.
We query for active Tor connections, but could have alternatively looked for active Tor runs (ProcessCreateEvents) or Tor downloads (DeviceFileEvents).
To read more about this technique, see:.
Tor: https://attack.mitre.org/wiki/Software/S0183#Techniques_Used.
Meek plugin: https://attack.mitre.org/wiki/Software/S0175.
Multi-hop proxy technique: https://attack.mitre.org/wiki/Technique/T1188.
Tags: #Tor, #MultiHopProxy, #CnC.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
query: |
DeviceNetworkEvents
| where Timestamp < ago(3d) and InitiatingProcessFileName in~ ("tor.exe", "meek-client.exe")
// Returns MD5 hashes of files used by Tor, to enable you to block them.
// We count how prevalent each file is (by machines) and show examples for some of them (up to 5 machine names per hash).
| summarize MachineCount=dcount(DeviceName), MachineNames=makeset(DeviceName, 5) by InitiatingProcessMD5
| order by MachineCount desc
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Tor Usage for Secure Communication
Description: A system is configured to use Tor for secure, anonymous browsing or communication.
Filter/Exclusion: Exclude connections to known Tor exit nodes (e.g., 192.0.2.0/24 or specific Tor relay IP ranges) or filter by user/group that is authorized to use Tor.
Example: ProcessName != "tor.exe" OR DestinationIP not in TorExitNodeIPs
Scenario: Meek Plugin for Tor Anonymity
Description: A system is using the Meek plugin (a Tor plugin that uses HTTPS to communicate with Tor relays) for anonymized web traffic.
Filter/Exclusion: Exclude traffic to Meek-known domains (e.g., meek-01.net, meek-02.net) or filter by user/group that is authorized to use Meek.
Example: DestinationDomain not in MeekDomains OR User != "authorized_user"
Scenario: Scheduled Job to Update Tor Software
Description: A scheduled task or job is running to update the Tor software or its configuration files.
Filter/Exclusion: Exclude processes initiated by a known update scheduler (e.g., Task Scheduler or Windows Update) or filter by process name (e.g., tor-updater.exe).
Example: ProcessName != "tor-updater.exe" OR EventID != "TaskScheduler"
Scenario: Admin Task to Configure Tor for Internal Use
Description: An administrator is configuring Tor for internal network testing or internal relay setup.
Filter/Exclusion: Exclude processes initiated by admin accounts (e.g., User != "Administrator") or filter by process name (e.g., tor.exe with specific command-line arguments).