Query Details
TI Feed Tor Connections
Query
# Tor Connections ## Query Information #### Description While Tor has legitimate uses for protecting personal privacy and circumventing censorship, it is often unwanted that connections are being made to Tor nodes. Detecting connections to Tor nodes can be done using the dynamic IP list of Tor nodes provided by [dan.me.uk](https://www.dan.me.uk/), this will allow you to query the most recent nodes each time the query is executed. #### Risk Explain what risk this detection tries to cover #### References - https://www.dan.me.uk/ ## Defender XDR ```KQL let TorNodes = externaldata(IP:string )[@"https://www.dan.me.uk/Torlist/?full"] with (format="txt", ignoreFirstRecord=False); let IPs = TorNodes | distinct IP; DeviceNetworkEvents | where ActionType == "ConnectionSuccess" | where RemoteIP in (IPs) | project-reorder Timestamp, DeviceName, RemoteIP, InitiatingProcessAccountName,InitiatingProcessCommandLine ``` ## Sentinel ```KQL let TorNodes = externaldata(IP:string )[@"https://www.dan.me.uk/Torlist/?full"] with (format="txt", ignoreFirstRecord=False); let IPs = TorNodes | distinct IP; DeviceNetworkEvents | where ActionType == "ConnectionSuccess" | where RemoteIP in (IPs) | project-reorder TimeGenerated, DeviceName, RemoteIP, InitiatingProcessAccountName,InitiatingProcessCommandLine ```
Explanation
This query is designed to detect network connections to Tor nodes, which are part of the Tor network known for anonymizing internet traffic. While Tor can be used for legitimate purposes like protecting privacy and bypassing censorship, it can also be associated with risky or unwanted activities, such as hiding malicious actions or accessing restricted content.
Summary of the Query:
-
Data Source: The query uses an external data source from dan.me.uk to obtain a list of current Tor node IP addresses.
-
Data Processing:
- It retrieves the list of Tor node IPs and ensures there are no duplicates by using the
distinctfunction. - The query then filters network events to find successful connection attempts (
ConnectionSuccess) where the remote IP matches one of the Tor node IPs.
- It retrieves the list of Tor node IPs and ensures there are no duplicates by using the
-
Output:
- The query outputs relevant details about these connections, such as the timestamp, device name, remote IP, and information about the initiating process (account name and command line).
Risk Explanation:
The risk addressed by this detection is the potential for unauthorized or malicious activity being conducted through Tor connections. By identifying devices connecting to Tor nodes, organizations can investigate whether these connections are legitimate or if they pose a security threat.
Differences Between Defender XDR and Sentinel:
The queries for both Microsoft Defender XDR and Microsoft Sentinel are essentially the same, with a slight difference in the field used for the timestamp (Timestamp in Defender XDR and TimeGenerated in Sentinel). This reflects the different schema or field names used in these platforms.
Details
Bert-Jan Pals
Released: December 21, 2024
Tables
Keywords
Operators