Adversaries may use Toredo network communications to establish covert channels or bypass network security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts that evade traditional network monitoring.
YARA Rule
rule network_toredo {
meta:
author = "x0r"
description = "Communications over Toredo network"
version = "0.1"
strings:
$f1 = "FirewallAPI.dll" nocase
$p1 = "\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\" nocase
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: System updates via Windows Update using Toredo
Filter/Exclusion: Exclude traffic from wsus or update servers, or filter by source IP addresses known to host Windows Update services.
Scenario: Legitimate network discovery using nmap with Toredo support
Filter/Exclusion: Exclude traffic from known internal scanning tools like nmap or masscan, or filter by source IP addresses used for network discovery tasks.
Scenario: Scheduled backup jobs using Toredo for internal replication
Filter/Exclusion: Exclude traffic from backup tools like Veeam, Commvault, or Veritas, or filter by specific backup server IP addresses.
Scenario: Admin task to configure Toredo settings via PowerShell
Filter/Exclusion: Exclude traffic from local admin accounts or specific PowerShell scripts used for network configuration tasks.
Scenario: Internal monitoring tool using Toredo for network health checks
Filter/Exclusion: Exclude traffic from monitoring tools like SolarWinds, PRTG, or Zabbix, or filter by known monitoring server IP addresses.