Hunting off the Red Banner

Detecting Advanced SSH-Tor Backdoors Targeting Defense Sectors


Unlike the noise of an immediate ransomware attack, the Advanced SSH-Tor Backdoor campaign operates as a ghost in the machine, employing a multi-stage infection to establish persistent, anonymous remote access deep within targeted networks. This sophisticated intrusion chain leverages social engineering with military-themed documents to deploy a covert Command and Control (C2) channel that bypasses standard network defenses.


Consider this campaign the cybersecurity equivalent of a mole installing a private, unmarked elevator inside your highly-secured corporate headquarters. Instead of relying on the main entrance (standard protocols) that security watches closely, the adversary uses this hidden, obfs4-encrypted elevator (Tor with obfuscation) to come and go undetected. This tunnelled access is used to deploy sensitive protocols like RDP, SSH, and SMB for full system control and intelligence gathering.


The primary risk is a severe, long-term intelligence and data loss event, which is far more damaging than a temporary system outage. Since the threat actor tunnels critical protocols over anonymous C2, they can conduct extensive lateral movement and data exfiltration for months before detection. For organizations in defense, government, or critical infrastructure, this breach translates directly into severe regulatory non-compliance, catastrophic reputation damage, and the loss of state secrets or proprietary intellectual property. The complexity of the C2 infrastructure suggests a state-sponsored motivation, requiring a professional threat hunting response proportionate to the risk.


Hunting Controls & Observations

Defensive teams should pivot from static indicator matching to behavioral correlation across endpoint, identity, and network telemetry to detect this multi-stage attack:

  • Endpoint (EDR/AV): Monitor for nested archive extraction from user directories, PowerShell processes spawning from LNK files, and legitimate-looking binaries executing from AppData locations with suspicious command-line arguments referencing non-standard configuration files.
  • Identity/IAM: Track authentication patterns showing localhost SSH connections on non-standard ports, particularly those originating from user profile directories rather than system service accounts or expected administrative tools.
  • Firewall / NetFlow: Identify egress connections to known Tor bridge infrastructure and detect obfs4-obfuscated traffic patterns that attempt to disguise anonymization network usage as normal HTTPS communications.
  • Windows Security Log: Capture scheduled task creation events (Event ID 4698) originating from PowerShell processes, especially those creating hidden tasks with logon triggers and suspicious executable paths in user profile directories.
  • Email Security & Proxy Logs: Flag archive attachments with nested ZIP structures, double file extensions mimicking PDF documents, and Russian or Belarusian language filenames claiming to be official military correspondence.
  • DNS Query Logs: Detect DNS queries for .onion domains attempted through local resolvers, which indicate Tor hidden service access attempts that should not occur in typical enterprise environments.

Behavioral Indicators of Attack

Behavioral indicators of the attack include the following observations:

  • PowerShell executing archive extraction commands from LNK shortcut files with hidden window parameters, followed by execution of text file contents as additional PowerShell scripts.
  • Environmental validation checks counting recent LNK files and active processes to evade sandbox environments, with script termination if thresholds are not met.
  • Scheduled tasks created with XML configuration files referencing executables renamed to mimic legitimate applications like githubdesktop.exe, pinterest.exe, or googlemaps.exe located in AppData\Roaming subdirectories.
  • SSH server processes listening on non-standard ports bound to localhost addresses, configured to deny password authentication and accept only pre-deployed RSA key-based access.
  • Tor executable processes launched with custom configuration files enabling hidden services that expose multiple local ports including SSH, RDP, SMB, and SFTP through .onion addresses.
  • Implementation of obfs4 pluggable transport protocols through standalone executables that obfuscate Tor traffic patterns to evade network detection systems.
  • Curl commands with aggressive retry logic transmitting system hostnames and victim-specific .onion addresses to attacker-controlled command and control infrastructure via local SOCKS5 proxies.
  • Decoy PDF documents displayed to victims from AppData directories while malicious scheduled tasks establish persistence and backdoor functionality in the background.
  • Pre-generated RSA private and public key pairs deployed within malicious archives, eliminating runtime key generation that could trigger cryptographic operation monitoring alerts.

MITRE Enterprise ATT&CK Tactics and Techniques

The attack methodology aligns closely with established patterns documented in the MITRE ATT&CK Enterprise Matrix, demonstrating sophisticated tradecraft across multiple tactics:

  • Initial Access (T1566.001 – Spearphishing Attachment): Adversaries distribute weaponized ZIP archives containing malicious LNK files disguised as military PDF documents through targeted email campaigns, exploiting user trust in official-looking correspondence to initiate the infection chain.
  • Execution (T1204.002 – User Execution: Malicious File): Victims unknowingly trigger the attack by opening what appears to be a legitimate PDF document, which actually executes embedded PowerShell commands through the LNK shortcut mechanism.
  • Execution (T1059.001 – Command and Scripting Interpreter: PowerShell): Attackers leverage PowerShell for multi-stage payload execution, archive extraction, environmental validation, scheduled task creation, and command and control beacon transmission while evading signature-based detection.
  • Persistence (T1053.005 – Scheduled Task/Job: Scheduled Task): Malware establishes persistence through Windows scheduled tasks configured with both logon triggers and daily execution schedules, ensuring backdoor availability survives system reboots and maintains long-term access.
  • Defense Evasion (T1036.005 – Masquerading: Match Legitimate Name or Location): Threat actors rename malicious executables to mimic popular legitimate applications like GitHub Desktop, Pinterest, Google Maps, and eBay, storing them in user profile directories where similar application data might reasonably exist.
  • Defense Evasion (T1497 – Virtualization/Sandbox Evasion): PowerShell scripts implement environmental checks validating system characteristics such as recent file counts and active processes, terminating execution in analysis environments while proceeding on genuine user machines.
  • Defense Evasion (T1027 – Obfuscated Files or Information): Attackers obfuscate malicious components through nested archive structures, encoded configuration files with misleading names, and the implementation of traffic obfuscation protocols to hide network communications.
  • Credential Access (T1552.004 – Unsecured Credentials: Private Keys): Pre-generated RSA private keys embedded within the malware enable immediate authenticated access without runtime key generation, reducing operational footprint and minimizing detection opportunities.
  • Command and Control (T1071.001 – Application Layer Protocol: Web Protocols): The malware uses curl over HTTP to register compromised systems with command and control infrastructure, transmitting victim information including hostnames and generated .onion addresses.
  • Command and Control (T1090.003 – Proxy: Multi-hop Proxy): Adversaries route all command and control communications through the Tor anonymization network using SOCKS5 proxies, masking their true location and infrastructure behind multiple encrypted relay hops.
  • Command and Control (T1573.002 – Encrypted Channel: Asymmetric Cryptography): SSH-based remote access relies on RSA public key cryptography for authentication and encrypted communications, preventing password-based access attempts and ensuring only authorized attackers can connect.
  • Command and Control (T1572 – Protocol Tunneling): The implementation of obfs4 pluggable transport effectively tunnels Tor traffic through obfuscation layers that disguise anonymization protocols as normal network activity, significantly complicating detection efforts.
  • Exfiltration (T1041 – Exfiltration Over C2 Channel): Data exfiltration occurs through established SSH and SFTP channels over Tor hidden services, allowing attackers to extract sensitive military intelligence through the same encrypted, anonymous infrastructure used for command execution.

Controls' Observables

Organizations can observe these attack behaviors across multiple control points in their security architecture, requiring correlation between traditionally siloed monitoring systems:


Endpoint Controls

  • Endpoint Detection and Response (EDR) platforms capture the complete process execution chain, revealing LNK files spawning hidden PowerShell processes that extract nested archives and execute text files as scripts from user profile directories.
  • Sysmon Event ID 1 (Process Creation) logs expose command-line arguments showing PowerShell archive extraction commands, Expand-Archive cmdlets targeting specific ZIP files, and execution of configuration files passed to renamed legitimate binaries.
  • Sysmon Event ID 3 (Network Connection) records localhost connections on non-standard ports such as 20321 for SSH and 9050 for local SOCKS5 proxies, indicating internal service exposure through Tor infrastructure.
  • Sysmon Event ID 11 (File Creation) detects the extraction of multiple suspicious files including obfuscated configuration text files, XML scheduled task definitions, and renamed executables placed in AppData\Roaming subdirectories.
  • PowerShell script block logging (Event ID 4104) captures the full content of executed PowerShell scripts, exposing anti-sandbox checks, scheduled task registration commands, and curl-based beacon transmission logic.
  • Application whitelisting and execution control solutions flag attempts to run unsigned or low-prevalence executables from user profile directories, particularly those masquerading as popular applications.

Network Controls

  • Firewall egress logs identify outbound connections to known Tor bridge infrastructure on ports 8080 and 33333, particularly to IP addresses 77.20.116.133 and 156.67.24.239 associated with obfs4 bridge relays.
  • Network flow analysis reveals sustained connections to international infrastructure in Germany, France, Poland, and Canada that demonstrate characteristics of Tor relay traffic including consistent connection patterns and specific protocol behaviors.
  • Deep packet inspection systems detect obfs4 traffic patterns attempting to disguise Tor usage, though obfuscation significantly complicates signature-based identification compared to standard Tor protocols.
  • DNS monitoring systems capture anomalous queries for .onion domains attempted through local resolvers, which should never occur in legitimate enterprise traffic patterns.
  • SSL/TLS inspection identifies encrypted traffic patterns consistent with SSH over Tor tunnels, showing characteristics such as specific handshake patterns and persistent encrypted channels to hidden service addresses.

Identity & Access Controls

  • Windows Security Event ID 4698 (Scheduled Task Created) captures the registration of malicious scheduled tasks with XML configurations, exposing task names, executable paths in user directories, and logon trigger mechanisms.
  • Windows Security Event ID 4624 (Successful Logon) combined with Event ID 4672 (Special Privileges Assigned) may reveal elevated privilege operations associated with service installations or configuration changes during malware deployment.
  • Authentication logs show unusual SSH authentication patterns originating from localhost addresses rather than expected remote administrative hosts, particularly using key-based authentication to non-standard ports.
  • Privileged Access Management (PAM) systems detect attempts to access administrative protocols like RDP, SMB, and SSH from unexpected source contexts, especially those originating through localhost proxy mechanisms.

Cloud & SaaS

  • Email security gateways equipped with advanced attachment analysis capabilities detect nested archive structures, double file extensions, and archive-within-archive patterns that characterize this delivery mechanism.
  • Cloud-delivered email protection services flag messages with Russian or Belarusian language attachments claiming to be military documents, particularly those with double extensions attempting to masquerade as PDF files.
  • Sandbox detonation services may struggle to fully analyze this malware due to implemented environmental checks, but can still detect initial PowerShell execution and archive extraction behaviors in certain configurations.

Application & Service Logs

  • Task Scheduler service logs record the creation and execution of scheduled tasks, including modifications to task configurations and failed execution attempts that may indicate environmental validation failures.
  • OpenSSH service logs demonstrate SSH server initialization on non-standard ports, authentication attempts using public key mechanisms, and session establishment from local proxy connections.
  • Tor application logs reveal hidden service initialization, bridge connection establishment, and traffic routing through obfs4 pluggable transports, though these logs may be difficult to access in compromised environments.
  • Windows Event Logs capture archive extraction operations, file creation events in user profile directories, and process execution chains showing relationships between LNK files and subsequent PowerShell activity.

Insights and Recommendations

If this threat is not addressed swiftly, the adversary will maintain a long-term, anonymous foothold within the environment, leading to ongoing espionage, credential theft, and intellectual property loss that remains entirely invisible to conventional security monitoring. This silent persistence allows them to map the network and escalate privileges before launching a highly destructive or costly operation at a time of their choosing.


Organizations must prioritize behavioral-based detection and proactive threat hunting across their endpoints and network egress points. This requires a strategic focus on auditing scheduled tasks, blocking or flagging unexpected process execution in user profile directories, and implementing strict controls to identify and prevent the use of sophisticated anonymization protocols like obfs4 and the Tor network.


Sources and Credits

This summary is based on public information provided from Cyble's research article "Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor" published on October 31, 2025, and Seqrite's research article "Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus" published on 31 October 2025, which provided complementary details on the infection chain and IOCs.


Threat Hunting IOCs & Queries

This section contains known Indicators of Compromise (IOCs) identified from the threat intelligence sources, along with Microsoft Log Analytics (KQL) and Splunk queries to detect this sophisticated SSH-Tor backdoor campaign. These detection queries focus on behavioral patterns rather than static indicators, as the malware employs significant obfuscation and uses legitimate binaries for malicious purposes. All queries include AI assistance and should be validated in test environments before production deployment.


Known Indicators of Compromise

The following IOCs have been identified from the intelligence and can be used for threat hunting:

  • File Hashes (SHA-256):
    30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4 (ZIP archive)
    99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9 (LNK file)
    7269b4bc6b3036e5a2f8c2a7908a439202cee9c8b9e50b67c786c39f2500df8f (PowerShell script)
    5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7 (Decoy PDF)
  • File Hashes (MD5):
    952f86861feeaf9821685cc203d67004 (ZIP archive - Russian campaign)
    8716989448bc88ba125aead800021db0 (ZIP archive - Belarusian campaign)
    32bdbf5c26e691cbbd451545bca52b56 (LNK file - Russian campaign)
    2731b3e8524e523a84dc7374ae29ac23 (LNK file - Belarusian campaign)
  • IP Addresses (Tor Bridges):
    77.20.116.133:8080 (Vodafone GmbH, Germany - obfs4 bridge)
    156.67.24.239:33333 (Contabo GmbH, France - obfs4 bridge)
    146.59.116.226:50845 (OVH SAS, Poland)
    142.189.114.119:443 (BACOM, Canada)
  • Domains (.onion):
    yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion (C2 infrastructure)
    taibdsgqlwvnizgipp4sn7xee72qys3pufih3rjzhx3e5b5t245kafid[.]onion (Example victim hidden service)
  • File Paths (User Profile Directories):
    %APPDATA%\logicpro\ (Malware installation directory - Campaign 1)
    %APPDATA%\reaper\ (Malware installation directory - Campaign 2)
    %APPDATA%\dynamicUpdatingHashingScalingContext\ (Extraction directory)
    %USERPROFILE%\Downloads\incrementalStreamingMergingSocket\ (Extraction directory)
  • File Names (Masquerading Executables):
    githubdesktop.exe (OpenSSH sshd.exe)
    googlemaps.exe (OpenSSH sshd.exe)
    pinterest.exe (Tor executable)
    googlesheets.exe (Tor executable)
    confluence.exe (obfs4proxy)
    rider.exe (obfs4proxy)
    ebay.exe (SFTP server)

Threat Hunting Queries

The following queries translate behavioral indicators into actionable detection logic for common SIEM platforms. Each query includes context, tuning guidance, and expected false positive assessment. These queries were developed with AI assistance and should be tested before production deployment.


Query 1: LNK File Spawning PowerShell with Archive Extraction

  • Behavior Targeted: Detection of LNK shortcut files executing PowerShell commands that perform archive extraction operations, indicative of the initial infection stage.
  • MITRE ATT&CK: T1204.002 - User Execution: Malicious File, T1059.001 - PowerShell
  • Expected Results: Processes where LNK files invoke PowerShell with archive extraction commands, particularly Expand-Archive cmdlets targeting ZIP files in Downloads or temporary directories.
  • False Positive Likelihood: Low to Medium – Legitimate software installers occasionally use LNK shortcuts with PowerShell, but archive extraction from user directories is uncommon in enterprise environments.
  • Tuning Guidance: Whitelist known software deployment tools by parent process hash or verified software publisher. Exclude LNK files from trusted network shares used for software distribution. Focus on LNK files from Downloads, Desktop, or email attachment paths. Adjust time window to 24-48 hours for initial hunting, then tune to real-time alerting based on baseline.

Splunk (SPL)

// Detect LNK files spawning PowerShell with archive extraction commands
// Tuning: Exclude known deployment tools; focus on user-initiated paths
// Time Range: Last 48 hours (adjust for environment)

index=windows sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1
| where (ParentImage LIKE "%.lnk" OR ParentCommandLine LIKE "%.lnk") 
    AND (Image LIKE "%powershell.exe" OR Image LIKE "%pwsh.exe")
    AND (CommandLine LIKE "%Expand-Archive%" OR CommandLine LIKE "%[System.IO.Compression%")
| stats count by _time, ComputerName, User, ParentImage, CommandLine, Image
| where count > 0
| eval severity=if(CommandLine LIKE "%hidden%", "High", "Medium")
| table _time, ComputerName, User, ParentImage, CommandLine, severity
| sort -_time

Microsoft Defender/Sentinel (KQL)

// Detect LNK files spawning PowerShell with archive extraction commands
// Data Tables: DeviceProcessEvents
// Tuning: Exclude verified software installers by SHA256 hash
// Time Range: Last 48 hours (adjust for environment)

DeviceProcessEvents
| where Timestamp > ago(48h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where InitiatingProcessFileName endswith ".lnk" 
    or InitiatingProcessCommandLine has ".lnk"
| where ProcessCommandLine has_any ("Expand-Archive", "[System.IO.Compression", ".zip")
| where ProcessCommandLine !has "known_deployment_tool.lnk"  // Add your exclusions
| extend Severity = iff(ProcessCommandLine has "hidden", "High", "Medium")
| project Timestamp, DeviceName, AccountName, 
          InitiatingProcessFileName, 
          InitiatingProcessCommandLine,
          ProcessCommandLine,
          Severity
| order by Timestamp desc

Query 2: Scheduled Task Creation from PowerShell with User Directory Executables

  • Behavior Targeted: Detection of scheduled tasks created by PowerShell processes that reference executable files located in user profile directories, indicating persistence mechanism establishment.
  • MITRE ATT&CK: T1053.005 - Scheduled Task/Job: Scheduled Task
  • Expected Results: Scheduled task creation events where PowerShell registers tasks with XML configurations pointing to executables in AppData or user profile directories, especially with hidden task attributes.
  • False Positive Likelihood: Medium – Some legitimate applications create scheduled tasks from PowerShell for updates, but tasks referencing user directory executables are less common and warrant investigation.
  • Tuning Guidance: Focus on scheduled tasks with executables in AppData\Roaming, AppData\Local, or other non-standard locations. Exclude tasks created by system accounts or known software updaters. Monitor for task names that attempt to masquerade as legitimate services. Alert on tasks with both logon triggers and recurring schedules. Review tasks marked as hidden or running with highest privileges.

Splunk (SPL)

// Detect scheduled tasks created by PowerShell with user directory executables
// Tuning: Exclude known application updaters; focus on hidden tasks
// Time Range: Last 7 days

index=windows sourcetype=WinEventLog:Security EventCode=4698
| rex field=Task_Content "(?%APPDATA%[^<]+\.exe|AppData[^<]+\.exe)"
| where isnotnull(ExecutablePath)
| where Task_Content LIKE "%powershell%" OR Task_Content LIKE "%pwsh%"
| stats count by _time, ComputerName, Account_Name, Task_Name, ExecutablePath
| eval risk_score=if(Task_Content LIKE "%Hidden%", 90, 70)
| where risk_score > 60
| table _time, ComputerName, Account_Name, Task_Name, ExecutablePath, risk_score
| sort -risk_score, -_time

Microsoft Defender/Sentinel (KQL)

// Detect scheduled tasks created by PowerShell with user directory executables
// Data Tables: DeviceProcessEvents, DeviceEvents
// Tuning: Correlate with process creation for full context
// Time Range: Last 7 days

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("schtasks.exe", "powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Register-ScheduledTask", "/Create", "New-ScheduledTask")
| where ProcessCommandLine has_any ("AppData", "%APPDATA%", "Users\\")
| extend ExecutablePath = extract(@"(AppData[^\s]+\.exe|%APPDATA%[^\s]+\.exe)", 1, ProcessCommandLine)
| where isnotnull(ExecutablePath)
| extend RiskScore = iff(ProcessCommandLine has "Hidden", 90, 70)
| project Timestamp, DeviceName, AccountName, 
          ProcessCommandLine, 
          ExecutablePath,
          RiskScore
| where RiskScore > 60
| order by RiskScore desc, Timestamp desc

Query 3: Localhost Network Listeners on Non-Standard Ports from User Directories

  • Behavior Targeted: Detection of processes binding network listeners to localhost addresses on non-standard ports, particularly when the executable originates from user profile directories, indicating backdoor service establishment.
  • MITRE ATT&CK: T1571 - Non-Standard Port
  • Expected Results: Network connections showing localhost binding on unusual ports like 20321 (SSH), 9050 (SOCKS5), or other non-standard service ports from processes running out of AppData directories.
  • False Positive Likelihood: Medium – Development tools and some applications use localhost listeners, but ports in the 20000+ range from user directories are highly suspicious and warrant investigation.
  • Tuning Guidance: Focus on localhost listeners (127.0.0.1) on ports outside standard ranges (not 80, 443, 3389, 445). Whitelist known development tools by process hash. Alert on renamed executables mimicking popular applications (github, google, pinterest) from AppData. Correlate with scheduled task creation and PowerShell activity. Increase alert severity for SOCKS proxy ports (9050-9051) indicating Tor usage.

Splunk (SPL)

// Detect localhost network listeners on non-standard ports from user directories
// Tuning: Exclude known dev tools; focus on suspicious port ranges
// Time Range: Last 24 hours

index=windows sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=3
| where dest_ip="127.0.0.1" AND dest_port > 1024
| where (Image LIKE "%AppData%" OR Image LIKE "%Users%")
| where dest_port NOT IN (3389, 445, 80, 443, 8080)
| stats count by _time, ComputerName, User, Image, dest_port, ProcessId
| eval risk_level=case(
    dest_port >= 9050 AND dest_port <= 9051, "Critical-TorProxy",
    dest_port >= 20000, "High-NonStandardSSH",
    1=1, "Medium-Investigate"
)
| where risk_level!="Medium-Investigate" OR count > 5
| table _time, ComputerName, User, Image, dest_port, risk_level
| sort -risk_level, -_time

Microsoft Defender/Sentinel (KQL)

// Detect localhost network listeners on non-standard ports from user directories
// Data Tables: DeviceNetworkEvents, DeviceProcessEvents
// Tuning: Correlate with process origin for comprehensive detection
// Time Range: Last 24 hours

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIP == "127.0.0.1" or LocalIP == "127.0.0.1"
| where RemotePort > 1024 
| where RemotePort !in (3389, 445, 80, 443, 8080)
| where InitiatingProcessFolderPath has_any ("AppData", "Users")
| extend RiskLevel = case(
    RemotePort >= 9050 and RemotePort <= 9051, "Critical-TorProxy",
    RemotePort >= 20000, "High-NonStandardSSH",
    "Medium-Investigate"
)
| summarize Count=count(),
            FirstSeen=min(Timestamp),
            LastSeen=max(Timestamp),
            Devices=make_set(DeviceName)
    by InitiatingProcessFileName, 
       InitiatingProcessFolderPath,
       RemotePort,
       RiskLevel
| where RiskLevel != "Medium-Investigate" or Count > 5
| project-reorder FirstSeen, LastSeen, 
                  InitiatingProcessFileName,
                  InitiatingProcessFolderPath, 
                  RemotePort, 
                  RiskLevel, 
                  Count
| order by RiskLevel desc, Count desc

Query 4: Tor Bridge Infrastructure and Obfs4 Connection Detection

  • Behavior Targeted: Detection of network connections to known Tor bridge infrastructure, particularly connections using obfs4 obfuscation on non-standard ports, indicating anonymization network usage for command and control.
  • MITRE ATT&CK: T1090.003 - Proxy: Multi-hop Proxy
  • Expected Results: Egress connections to specific IP addresses associated with Tor bridge relays on ports 8080 and 33333, particularly sustained connections suggesting active C2 communications.
  • False Positive Likelihood: Low – Connections to these specific Tor bridge IPs from enterprise environments are highly unusual and almost always indicate malicious activity or policy violations.
  • Tuning Guidance: Maintain updated threat intelligence feeds with known Tor relay and bridge IP addresses. Monitor for sustained connections (>5 minutes) to these IPs. Correlate with localhost SOCKS proxy usage and scheduled task creation. Alert on any obfs4 bridge connections as these indicate deliberate anonymization attempts. Consider blocking these IPs at firewall if Tor usage is prohibited by policy. Update IP list monthly as Tor infrastructure changes.

Splunk (SPL)

// Detect connections to known Tor bridge infrastructure
// Tuning: Update IP list monthly; correlate with local proxy usage
// Time Range: Last 7 days

index=firewall OR index=network
| where (dest_ip="77.20.116.133" AND dest_port=8080) 
    OR (dest_ip="156.67.24.239" AND dest_port=33333)
    OR (dest_ip="146.59.116.226" AND dest_port=50845)
    OR (dest_ip="142.189.114.119" AND dest_port=443)
| stats count, 
        min(_time) as first_seen, 
        max(_time) as last_seen,
        sum(bytes_out) as total_bytes_out
    by src_ip, dest_ip, dest_port, src_host
| eval duration_seconds=last_seen-first_seen
| eval severity=case(
    duration_seconds > 300, "Critical-SustainedC2",
    count > 10, "High-MultipleAttempts",
    1=1, "Medium-SingleConnection"
)
| convert ctime(first_seen) ctime(last_seen)
| table src_host, src_ip, dest_ip, dest_port, count, 
        first_seen, last_seen, duration_seconds, total_bytes_out, severity
| sort -severity, -count

Microsoft Defender/Sentinel (KQL)

// Detect connections to known Tor bridge infrastructure
// Data Tables: DeviceNetworkEvents
// Tuning: Update Tor bridge IPs monthly from threat intelligence
// Time Range: Last 7 days

let TorBridges = dynamic([
    "77.20.116.133:8080",
    "156.67.24.239:33333",
    "146.59.116.226:50845",
    "142.189.114.119:443"
]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| extend DestIPPort = strcat(RemoteIP, ":", RemotePort)
| where DestIPPort in (TorBridges)
| summarize Count=count(),
            FirstSeen=min(Timestamp),
            LastSeen=max(Timestamp),
            TotalBytesOut=sum(SentBytes),
            Devices=make_set(DeviceName)
    by RemoteIP, RemotePort, InitiatingProcessFileName
| extend DurationSeconds = datetime_diff('second', LastSeen, FirstSeen)
| extend Severity = case(
    DurationSeconds > 300, "Critical-SustainedC2",
    Count > 10, "High-MultipleAttempts",
    "Medium-SingleConnection"
)
| project-reorder FirstSeen, LastSeen, 
                  RemoteIP, RemotePort,
                  InitiatingProcessFileName,
                  Count, DurationSeconds, 
                  TotalBytesOut, Severity
| order by Severity desc, Count desc

Query 5: PowerShell Environmental Validation and Anti-Sandbox Checks

  • Behavior Targeted: Detection of PowerShell scripts implementing environmental validation by counting LNK files in Recent folders and checking process counts, indicating anti-analysis evasion techniques.
  • MITRE ATT&CK: T1497 - Virtualization/Sandbox Evasion
  • Expected Results: PowerShell commands accessing the Recent folder, enumerating LNK files, or checking Get-Process counts, particularly when combined with conditional logic determining script execution.
  • False Positive Likelihood: Medium to High – System administration scripts legitimately check system resources, but specific checks for LNK file counts in Recent folders combined with process enumeration are suspicious.
  • Tuning Guidance: Focus on PowerShell script block logging to capture full command context. Alert on scripts that combine Recent folder access with process counting. Correlate with other indicators such as archive extraction or scheduled task creation in the same process tree. Whitelist known system maintenance scripts by hash. Consider this indicator as part of a broader detection chain rather than standalone alert. Increase alert priority when environmental checks precede suspicious file operations.

Splunk (SPL)

// Detect PowerShell environmental validation and anti-sandbox checks
// Tuning: Correlate with archive extraction for higher confidence
// Time Range: Last 48 hours

index=windows sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104
| where (ScriptBlockText LIKE "%Recent%" AND ScriptBlockText LIKE "%.lnk%") 
    OR (ScriptBlockText LIKE "%Get-Process%" AND ScriptBlockText LIKE "%count%" AND ScriptBlockText LIKE "%gt%")
    OR (ScriptBlockText LIKE "%Shell.Application%" AND ScriptBlockText LIKE "%Recent%")
| where ScriptBlockText LIKE "%if%" OR ScriptBlockText LIKE "%Where-Object%"
| stats count by _time, ComputerName, UserName, ScriptBlockText
| eval confidence=case(
    ScriptBlockText LIKE "%Recent%" AND ScriptBlockText LIKE "%Get-Process%", "High",
    ScriptBlockText LIKE "%Expand-Archive%", "High",
    1=1, "Medium"
)
| table _time, ComputerName, UserName, ScriptBlockText, confidence
| sort -confidence, -_time

Microsoft Defender/Sentinel (KQL)

// Detect PowerShell environmental validation and anti-sandbox checks
// Data Tables: DeviceEvents (PowerShell script block logging)
// Tuning: Enable PowerShell script block logging; correlate with process tree
// Time Range: Last 48 hours

DeviceEvents
| where Timestamp > ago(48h)
| where ActionType == "PowerShellCommand"
| where AdditionalFields has_any ("Recent", "Get-Process", ".lnk")
| extend ScriptContent = tostring(AdditionalFields.ScriptBlockText)
| where (ScriptContent has "Recent" and ScriptContent has ".lnk")
    or (ScriptContent has "Get-Process" and ScriptContent has "count" and ScriptContent has "gt")
    or (ScriptContent has "Shell.Application" and ScriptContent has "Recent")
| where ScriptContent has_any ("if (", "where ", "Where-Object")
| extend Confidence = case(
    ScriptContent has "Recent" and ScriptContent has "Get-Process", "High",
    ScriptContent has "Expand-Archive", "High",
    "Medium"
)
| project Timestamp, DeviceName, AccountName, 
          InitiatingProcessFileName,
          ScriptContent,
          Confidence
| where Confidence == "High"
| order by Timestamp desc