Full Report
When malware like the Kalambur backdoor leverages native tools like curl.exe to route traffic through TOR, defenders need visibility at the process and command-line level. But in tools like Microsoft Sentinel, queries for such activity—written in Kusto Query Language (KQL)—can quickly grow difficult to interpret. That’s where Uncoder AI’s AI-generated Decision Tree delivers immediate value. […] The post Detecting Covert TOR Access in Microsoft Sentinel with Uncoder AI’s Decision Tree appeared first on SOC Prime.
Analysis Summary
# Tool/Technique: Curl Executions Routed Through TOR
## Overview
This document summarizes a detection methodology focused on identifying instances where the `curl` utility is being used to establish connections to TOR services, specifically targeting `.onion` addresses, often indicative of C2 communication or data exfiltration using the anonymity network. The detection leverages Uncoder AI's decision tree parsing capabilities within Microsoft Sentinel.
## Technical Details
- Type: Technique (Abuse of Legitimate Tool)
- Platform: Windows (implied by `curl.exe`)
- Capabilities: Detecting network execution involving specific command-line arguments (SOCKS protocol usage and `.onion` addresses).
- First Seen: May 01, 2025 (Date of Article Reference)
## MITRE ATT&CK Mapping
The core detection targets the execution of a system utility for network communication to a hidden service.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (If HTTP/S is used over TOR)
- **TA0005 - Defense Evasion**
- T1070.004 - File Deletion (If related logs/files are cleaned up)
*(Note: Specific `curl` usage for C2 often maps strongly to T1071.001/T1105. The use of TOR intrinsically relates to C2 over an anonymizing network, which might map partially to T1090 if TOR is used as the proxy.)*
## Functionality
### Core Capabilities
- Identification of a process named `curl.exe`.
- Verification that the command line contains strings indicating SOCKS protocol usage (implying redirection through a proxy like TOR).
- Verification that the command line contains the string `.onion`, confirming the target is a TOR hidden service.
### Advanced Features
- The use of Uncoder AI's Decision Tree provides a transparent, easily understandable breakdown of complex detection logic, improving analyst confidence and trust in the alert generated in Microsoft Sentinel.
- Focuses on **abusing curl for anonymized communications**, turning raw flag inspection into clear threat intelligence.
## Indicators of Compromise
The indicators described are derived from process monitoring logs (e.g., Sysmon Event ID 1):
- File Hashes: N/A (Focus is on behavior, not malware delivery)
- File Names: `curl.exe`
- Registry Keys: N/A
- Network Indicators: Connections initiated to infrastructure using the `.onion` TLD (These are the destination indicators, not typically required for the *process* IOC).
- Behavioral Indicators: Process execution of `curl.exe` where the command line meets the following combined criteria:
1. `CommandLine contains [SOCKS protocol identifier]`.
2. `CommandLine contains .onion`.
## Associated Threat Actors
The article summary does not explicitly name a specific threat actor, but the technique—using `curl` to access `.onion` services—is common among actors utilizing anonymity networks for C2 (e.g., various ransomware groups or espionage actors leveraging TOR).
## Detection Methods
- **Log Source Requirement:** Process creation events (e.g., Sysmon Event ID 1) with full command-line logging enabled.
- **Signature-based detection:** Custom rule or query in Microsoft Sentinel specifically checking for the conjunction of `curl.exe` and command-line parameters referencing SOCKS and `.onion`.
- **Behavioral detection:** Monitoring for anomalous use of legitimate tools for specialized network tunneling or access to dark web services.
- **YARA rules:** N/A (This is an activity/command-line hunt, not file-based detection).
## Mitigation Strategies
- **Prevention measures:** Implementing application control policies (e.g., using AppLocker or WDAC) to restrict or monitor the execution of non-standard utilities like `curl.exe` in sensitive environments, or restricting execution paths.
- **Hardening recommendations:** Regular review of network egress points; implementing network monitoring solutions capable of deep packet inspection or domain/IP reputation checks if the TOR exit nodes are accessible. Monitoring for the installation or execution of TOR related client software.
## Related Tools/Techniques
- **TOR:** The underlying anonymity network being leveraged.
- **Curl:** The abused legitimate utility.
- **Uncoder AI/Decision Trees:** The tool used to create, explain, and deploy the custom detection logic in Sentinel.