KQL Search

Query Details

HomeAI ToolsDevice Query

IC Tor Exit Browser Hunting Based On Device Events

Query

**[IC] -Tor Exit Browser hunting based on Device Events**

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    |
| ---  | --- |
| T1090.003 | Multi-hop Proxy  |

| Author | Sergio Albea (30/10/2025)   |
| ---  | --- |

**Description:** A Tor exit node is the last server in the Tor network that your traffic passes through before it reaches the public internet so it is the one that actually makes the connection to website.
In this particular query, I am getting the devices with connections to Tor Exit Nodes, to list to which node are connecting and possible suspicious URLs with connections to the mentioned servers.
```
//Author Sergio Albea 18-11-2025
let TorExitNodesHistoric = externaldata(IP:string, ActiveDates:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-tor-exit-historic.json.zip'] with(format="multijson"); 
TorExitNodesHistoric 
| extend ActiveDates = split(ActiveDates, ',') 
| extend Country = tostring(geo_info_from_ip_address(IP)['country'])
| summarize ActiveDays = array_length(make_set(ActiveDates)) by Country,IP,Source
| join kind=inner (DeviceNetworkEvents) on $left.IP == $right.RemoteIP
| summarize  by Source,DeviceName,TOR_Exit_Node= LocalIP,Country,ActiveDays,RemoteUrl, InitiatingProcessAccountName, InitiatingProcessVersionInfoProductName, ActionType//, Timestamp,ReportId
| order by ActiveDays
```

Explanation

This query is designed to identify devices that are connecting to Tor exit nodes, which are the final nodes in the Tor network before traffic reaches the public internet. The query aims to detect potentially suspicious activity by listing the Tor exit nodes that devices are connecting to, along with any suspicious URLs associated with these connections.

Here's a simplified breakdown of what the query does:

  1. Data Source: It retrieves a list of historical Tor exit nodes from an external JSON file hosted online.

  2. Data Processing:

    • It splits the active dates of each Tor exit node into an array.
    • It extracts the country information for each IP address using a geo-location function.
    • It calculates the number of active days for each Tor exit node.

  3. Joining Data:

    • The query joins the Tor exit node data with device network events based on matching IP addresses.

  4. Summarizing Results:

    • It summarizes the data to show which devices are connecting to Tor exit nodes, including details such as the source, device name, Tor exit node IP, country, number of active days, remote URL, and information about the initiating process.

  5. Ordering:

    • The results are ordered by the number of active days, potentially highlighting the most frequently used Tor exit nodes.

Overall, this query helps in identifying and analyzing network activity related to Tor exit nodes, which can be useful for detecting potential security threats or suspicious behavior.

Details

Sergio Albea profile picture

Sergio Albea

Released: November 18, 2025

Tables

TorExitNodesHistoricDeviceNetworkEvents

Keywords

Devices

Operators

externaldatawithextendsplittostringgeo_info_from_ip_addresssummarizearray_lengthmake_setjoinon==byorder by

Actions