Detecting Covert TOR Access in Microsoft Sentinel with Uncoder AI’s Decision Tree

[post-views]
May 01, 2025 · 9 min read
Detecting Covert TOR Access in Microsoft Sentinel with Uncoder AI’s Decision Tree

When malware like the Kalambur backdoor leverages native tools like curl.exe to route traffic through TOR, defenders need visibility at the process and command-line level. But in tools like Microsoft Sentinel, queries for such activity—written in Kusto Query Language (KQL)—can quickly grow difficult to interpret.

That’s where Uncoder AI’s AI-generated Decision Tree delivers immediate value. It transforms complex, nested Sentinel queries into visual logic flows that analysts can read, explain, and act on—without reverse engineering line-by-line.

Explore Uncoder AI

The Detection: Curl Executions Routed Through TOR

This Microsoft Sentinel query detects suspicious use of curl.exe with command-line arguments that suggest TOR proxy routing via:

  • socks5h://

  • socks5://

  • socks4a://

  • .onion domains

These elements are commonly used to anonymize traffic or route it through the TOR network, evading conventional visibility.

Input we used (click to show the text)

SecurityEvent | where EventID == 4688 | where (NewProcessName endswith @'\curl.exe' and (CommandLine contains @'socks5h://' or CommandLine contains @'socks5://' or CommandLine contains @'socks4a://') and CommandLine contains @'.onion')

What Uncoder AI’s Decision Tree Unpacked

Uncoder AI broke the KQL logic into a clear 3-step branching structure:

  1. Process Check:
    Is the new process curl.exe ?

  2. Proxy Parameter Match:
    Does the command line contain any of the TOR-related SOCKS proxy strings?

  3. Dark Web Domain Detection:
    Does the command line reference a .onion address?

Each condition builds logically upon the last, making it obvious when and why the detection fires. The AI-generated tree even visualizes these conditions in a flow diagram, helping analysts see the evaluation path from top to bottom.

Why It Matters

In modern threat scenarios:

  • Attackers use legitimate tooling to stay under the radar
  • TOR and proxy access patterns are subtle and easy to miss
  • Command-line-based detections are powerful—but hard to audit

With Uncoder AI’s decision tree, detection engineers gain real-time explainability, making it easier to:

  • Validate detection coverage
  • Train Tier 1 analysts on what threats look like
  • Share rule logic across IR, compliance, or platform teams

AI Output (click to show the text)

A Microsoft Sentinel query!
The condition part of this query is:
```
where (NewProcessName endswith @'\curl.exe' and (CommandLine contains @'socks5h://' or CommandLine contains @'socks5://' or CommandLine contains @'socks4a://') and CommandLine contains @'.onion')
```
Let's break down the decision tree for this condition:
1. **NewProcessName endswith @'\curl.exe'**:
* Check if the `NewProcessName` field ends with the string `\curl.exe`.
* If true, proceed to the next step.
2. **CommandLine contains specific SOCKS protocols**:
* Check if the `CommandLine` field contains any of the following strings:
+ `socks5h://`
+ `socks5://`
+ `socks4a://`
* If any of these conditions are true, proceed to the next step.
3. **CommandLine contains .onion**:
* Check if the `CommandLine` field contains the string `.onion`.
* If true, the entire condition is considered true.
The decision tree can be represented as follows:
```
                                      +-------------------+
                                      |  NewProcessName  |
                                      |  ends with \curl.exe|
                                      +-------------------+
                                             |
                                             |
                                             v
                                      +-------------------+
                                      |  CommandLine contains|

                                      |  SOCKS protocols    |

                                      |  (socks5h://, socks5://,|
                                      |   socks4a://)        |
                                      +-------------------+
                                             |
                                             |
                                             v
                                      +-------------------+
                                      |  CommandLine contains|
                                      |  .onion             |
                                      +-------------------+
                                             |
                                             |
                                             v
                                      +-------------------+
                                      |  Condition is TRUE  |
                                      +-------------------+
```
In summary, the condition will be true if all three steps are met:
1. The new process name is `curl.exe`.
2. The command line contains a specific SOCKS protocol.
3. The command line contains the string `.onion`.

From Curl Flags to Threat Clarity

This rule highlights a sophisticated tactic—abusing curl for anonymized communications. Uncoder AI turns that detection into something any analyst can understand, trust, and take action on.

Explore Uncoder AI

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts