Detecting Covert TOR Access in Microsoft Sentinel with Uncoder AI’s Decision Tree
Table of contents:
When malware like the Kalambur backdoor leverages native tools like curl.exe to route traffic through TOR, defenders need visibility at the process and command-line level. But in tools like Microsoft Sentinel, queries for such activity—written in Kusto Query Language (KQL)—can quickly grow difficult to interpret.
That’s where Uncoder AI’s AI-generated Decision Tree delivers immediate value. It transforms complex, nested Sentinel queries into visual logic flows that analysts can read, explain, and act on—without reverse engineering line-by-line.
The Detection: Curl Executions Routed Through TOR
This Microsoft Sentinel query detects suspicious use of curl.exe with command-line arguments that suggest TOR proxy routing via:
socks5h://
socks5://
socks4a://
.onion
domains
These elements are commonly used to anonymize traffic or route it through the TOR network, evading conventional visibility.
Input we used (click to show the text)
SecurityEvent | where EventID == 4688 | where (NewProcessName endswith @'\curl.exe' and (CommandLine contains @'socks5h://' or CommandLine contains @'socks5://' or CommandLine contains @'socks4a://') and CommandLine contains @'.onion')
|
What Uncoder AI’s Decision Tree Unpacked
Uncoder AI broke the KQL logic into a clear 3-step branching structure:
- Process Check:
Is the new processcurl.exe
? - Proxy Parameter Match:
Does the command line contain any of the TOR-related SOCKS proxy strings? - Dark Web Domain Detection:
Does the command line reference a.onion
address?
Each condition builds logically upon the last, making it obvious when and why the detection fires. The AI-generated tree even visualizes these conditions in a flow diagram, helping analysts see the evaluation path from top to bottom.
Why It Matters
In modern threat scenarios:
- Attackers use legitimate tooling to stay under the radar
- TOR and proxy access patterns are subtle and easy to miss
- Command-line-based detections are powerful—but hard to audit
With Uncoder AI’s decision tree, detection engineers gain real-time explainability, making it easier to:
- Validate detection coverage
- Train Tier 1 analysts on what threats look like
- Share rule logic across IR, compliance, or platform teams
AI Output (click to show the text)
A Microsoft Sentinel query!
The condition part of this query is:
```
where (NewProcessName endswith @'\curl.exe' and (CommandLine contains @'socks5h://' or CommandLine contains @'socks5://' or CommandLine contains @'socks4a://') and CommandLine contains @'.onion')
```
Let's break down the decision tree for this condition:
1. **NewProcessName endswith @'\curl.exe'**:
* Check if the `NewProcessName` field ends with the string `\curl.exe`.
* If true, proceed to the next step.
2. **CommandLine contains specific SOCKS protocols**:
* Check if the `CommandLine` field contains any of the following strings:
+ `socks5h://`
+ `socks5://`
+ `socks4a://`
* If any of these conditions are true, proceed to the next step.
3. **CommandLine contains .onion**:
* Check if the `CommandLine` field contains the string `.onion`.
* If true, the entire condition is considered true.
The decision tree can be represented as follows:
```
+-------------------+
| NewProcessName |
| ends with \curl.exe|
+-------------------+
|
|
v
+-------------------+
| CommandLine contains| | socks4a://) |
+-------------------+
|
|
v
+-------------------+
| CommandLine contains|
| .onion |
+-------------------+
|
|
v
+-------------------+
| Condition is TRUE |
+-------------------+
```
In summary, the condition will be true if all three steps are met:
1. The new process name is `curl.exe`.
2. The command line contains a specific SOCKS protocol.
3. The command line contains the string `.onion`.
|
From Curl Flags to Threat Clarity
This rule highlights a sophisticated tactic—abusing curl for anonymized communications. Uncoder AI turns that detection into something any analyst can understand, trust, and take action on.