Communications over TOR network

Hunt Hypothesis

Adversaries may use the TOR network to exfiltrate data or communicate covertly, bypassing traditional network monitoring. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control channels or data exfiltration attempts that evade standard detection methods.

YARA Rule

rule network_tor {
    meta:
        author = "x0r"
        description = "Communications over TOR network"
	version = "0.1"
    strings:
        $p1 = "tor\\hidden_service\\private_key" nocase
        $p2 = "tor\\hidden_service\\hostname" nocase
        $p3 = "tor\\lock" nocase
        $p4 = "tor\\state" nocase
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System updates via Tor network
  Description: A system running scheduled updates (e.g., using yum, apt, or Chocolatey) may communicate through a Tor relay if the update server is configured to use Tor for privacy.
  Filter/Exclusion: Exclude traffic to known update servers (e.g., security.debian.org, archive.ubuntu.com, packages.microsoft.com) or filter by process name (e.g., yum, apt, choco).

• Scenario: Admin task using Tor for secure remote access
  Description: An administrator may use Tor to access internal systems securely, such as via a Tor-based SSH tunnel or a Tor-enabled remote desktop tool (e.g., Tor Browser with RDP).
  Filter/Exclusion: Exclude traffic originating from admin workstations or filter by user/group (e.g., root, admin) or process name (e.g., tor, ssh, mstsc).

• Scenario: Legitimate data exfiltration via Tor
  Description: A company may use Tor to securely transfer sensitive data to a third-party service (e.g., for compliance or archival purposes) using tools like Torsocks or Torified applications.
  Filter/Exclusion: Exclude traffic to known data storage services (e.g., aws.s3.amazonaws.com, cloudfront.net) or filter by application name (e.g., torsocks, torify).

• Scenario: Internal monitoring tool using Tor for anonymity
  Description: An internal monitoring or logging tool (e.g., Prometheus or Grafana) may use Tor to send metrics to an external analytics platform for privacy.
  Filter/Exclusion: Exclude traffic from known monitoring tools (e.g., prometheus, grafana) or filter