Connections to Tor Exit Nodes
Detects network connections to or from known Tor exit nodes by matching endpoint telemetry against a curated lookup file of Tor exit node IPs.
EDRhuntingT1090.003
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read
Query
#event_simpleName=NetworkConnectIP4
| match(file="tor-exit-nodes.csv", field=RemoteAddressIP4, column=ip, strict=true)
| groupBy(
[aid, ComputerName],
function=[
count(aid, as=ConnectionCount),
count(aid, distinct=true, as=UniqueIPs),
collect([RemoteAddressIP4, RemotePort]),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen)
]
)
| FirstSeen := formatTime(format="%Y-%m-%d %H:%M:%S", field=FirstSeen)
| LastSeen := formatTime(format="%Y-%m-%d %H:%M:%S", field=LastSeen)
| sort(ConnectionCount, order=desc)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.