Skip to content

kevlo-cyber/threat-hunting-scenario-tor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
threat-hunting-scenario-tor-event-creation.md
threat-hunting-scenario-tor-event-creation.md
 
 

Repository files navigation

Tor Logo with the onion and a crosshair on it

Threat Hunt Report: Unauthorized TOR Usage

Platforms and Languages Leveraged

  • Windows 10 Virtual Machines (Microsoft Azure)
  • EDR Platform: Microsoft Defender for Endpoint
  • Kusto Query Language (KQL)
  • Tor Browser

Scenario

Management suspects that some employees may be using TOR browsers to bypass network security controls because recent network logs show unusual encrypted traffic patterns and connections to known TOR entry nodes. Additionally, there have been anonymous reports of employees discussing ways to access restricted sites during work hours. The goal is to detect any TOR usage and analyze related security incidents to mitigate potential risks. If any use of TOR is found, notify management.

High-Level TOR-Related IoC Discovery Plan

  • Check DeviceFileEvents for any tor(.exe) or firefox(.exe) file events.
  • Check DeviceProcessEvents for any signs of installation or usage.
  • Check DeviceNetworkEvents for any signs of outgoing connections over known TOR ports.

Steps Taken

1. Searched the DeviceFileEvents Table

Searched for any file that had the string "tor" in it and discovered what looks like the user "employee" downloaded a TOR installer, did something that resulted in many TOR-related files being copied to the desktop, and the creation of a file called tor-shopping-list.txt on the desktop at 2024-11-08T22:27:19.7259964Z. These events began at 2024-11-08T22:14:48.6065231Z.

Query used to locate events:

DeviceFileEvents  
| where DeviceName == "threat-hunt-lab"  
| where InitiatingProcessAccountName == "employee"  
| where FileName contains "tor"  
| where Timestamp >= datetime(2024-11-08T22:14:48.6065231Z)  
| order by Timestamp desc  
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256, Account = InitiatingProcessAccountName
image

2. Searched the DeviceProcessEvents Table

Searched for any ProcessCommandLine that contained the string "tor-browser-windows-x86_64-portable-14.0.1.exe". Based on the logs returned, at 2024-11-08T22:16:47.4484567Z, an employee on the "threat-hunt-lab" device ran the file tor-browser-windows-x86_64-portable-14.0.1.exe from their Downloads folder, using a command that triggered a silent installation.

Query used to locate event:

DeviceProcessEvents  
| where DeviceName == "threat-hunt-lab"  
| where ProcessCommandLine contains "tor-browser-windows-x86_64-portable-14.0.1.exe"  
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath, SHA256, ProcessCommandLine
image

3. Searched the DeviceProcessEvents Table for TOR Browser Execution

Searched for any indication that user "employee" actually opened the TOR browser. There was evidence that they did open it at 2024-11-08T22:17:21.6357935Z. There were several other instances of firefox.exe (TOR) as well as tor.exe spawned afterwards.

Query used to locate events:

DeviceProcessEvents  
| where DeviceName == "threat-hunt-lab"  
| where FileName has_any ("tor.exe", "firefox.exe", "tor-browser.exe")  
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath, SHA256, ProcessCommandLine  
| order by Timestamp desc
image

4. Searched the DeviceNetworkEvents Table for TOR Network Connections

Searched for any indication the TOR browser was used to establish a connection using any of the known TOR ports. At 2024-11-08T22:18:01.1246358Z, an employee on the "threat-hunt-lab" device successfully established a connection to the remote IP address 176.198.159.33 on port 9001. The connection was initiated by the process tor.exe, located in the folder c:\users\employee\desktop\tor browser\browser\torbrowser\tor\tor.exe. There were a couple of other connections to sites over port 443.

Query used to locate events:

DeviceNetworkEvents  
| where DeviceName == "threat-hunt-lab"  
| where InitiatingProcessAccountName != "system"  
| where InitiatingProcessFileName in ("tor.exe", "firefox.exe")  
| where RemotePort in ("9001", "9030", "9040", "9050", "9051", "9150", "80", "443")  
| project Timestamp, DeviceName, InitiatingProcessAccountName, ActionType, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessFolderPath  
| order by Timestamp desc
image

Chronological Event Timeline

1. File Download - TOR Installer

  • Timestamp: 2024-11-08T22:14:48.6065231Z
  • Event: The user "employee" downloaded a file named tor-browser-windows-x86_64-portable-14.0.1.exe to the Downloads folder.
  • Action: File download detected.
  • File Path: C:\Users\employee\Downloads\tor-browser-windows-x86_64-portable-14.0.1.exe

2. Process Execution - TOR Browser Installation

  • Timestamp: 2024-11-08T22:16:47.4484567Z
  • Event: The user "employee" executed the file tor-browser-windows-x86_64-portable-14.0.1.exe in silent mode, initiating a background installation of the TOR Browser.
  • Action: Process creation detected.
  • Command: tor-browser-windows-x86_64-portable-14.0.1.exe /S
  • File Path: C:\Users\employee\Downloads\tor-browser-windows-x86_64-portable-14.0.1.exe

3. Process Execution - TOR Browser Launch

  • Timestamp: 2024-11-08T22:17:21.6357935Z
  • Event: User "employee" opened the TOR browser. Subsequent processes associated with TOR browser, such as firefox.exe and tor.exe, were also created, indicating that the browser launched successfully.
  • Action: Process creation of TOR browser-related executables detected.
  • File Path: C:\Users\employee\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe

4. Network Connection - TOR Network

  • Timestamp: 2024-11-08T22:18:01.1246358Z
  • Event: A network connection to IP 176.198.159.33 on port 9001 by user "employee" was established using tor.exe, confirming TOR browser network activity.
  • Action: Connection success.
  • Process: tor.exe
  • File Path: c:\users\employee\desktop\tor browser\browser\torbrowser\tor\tor.exe

5. Additional Network Connections - TOR Browser Activity

  • Timestamps:
    • 2024-11-08T22:18:08Z - Connected to 194.164.169.85 on port 443.
    • 2024-11-08T22:18:16Z - Local connection to 127.0.0.1 on port 9150.
  • Event: Additional TOR network connections were established, indicating ongoing activity by user "employee" through the TOR browser.
  • Action: Multiple successful connections detected.

6. File Creation - TOR Shopping List

  • Timestamp: 2024-11-08T22:27:19.7259964Z
  • Event: The user "employee" created a file named tor-shopping-list.txt on the desktop, potentially indicating a list or notes related to their TOR browser activities.
  • Action: File creation detected.
  • File Path: C:\Users\employee\Desktop\tor-shopping-list.txt

Summary

The user "employee" on the "threat-hunt-lab" device initiated and completed the installation of the TOR browser. They proceeded to launch the browser, establish connections within the TOR network, and created various files related to TOR on their desktop, including a file named tor-shopping-list.txt. This sequence of activities indicates that the user actively installed, configured, and used the TOR browser, likely for anonymous browsing purposes, with possible documentation in the form of the "shopping list" file.

Response Taken

TOR usage was confirmed on the endpoint threat-hunt-lab by the user employee. The device was isolated, and the user's direct manager was notified.

About

A hands-on threat hunting scenario focused on detecting Tor-based adversary activity

github.com/kevlo-cyber

Topics

detection sysmon threat-hunting tor-network blue-team kql cyber-threats microsoft-sentinel

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published