Back to Projects
Threat Hunting

Threat Hunting: Unauthorized TOR Usage

A structured threat hunting investigation to detect unauthorized TOR browser usage within an enterprise Windows environment, demonstrating real SOC workflows and detection techniques.

Microsoft Defender for Endpoint
KQL
Windows 10
Azure
View on GitHub

Scenario

Management suspects that some employees may be using TOR browsers to bypass network security controls. Recent network logs show unusual encrypted traffic patterns and connections to known TOR entry nodes. Additionally, there have been anonymous reports of employees discussing ways to access restricted sites during work hours.

Goal: Detect any TOR usage and analyze related security incidents to mitigate potential risks. If any use of TOR is found, notify management.

Investigation Plan

DeviceFileEvents

Check for any tor(.exe) or firefox(.exe) file events indicating download or installation.

DeviceProcessEvents

Check for any signs of TOR browser installation or execution processes.

DeviceNetworkEvents

Check for outgoing connections over known TOR ports (9001, 9030, 9050, 9150).

Event Timeline

18:41:13

File Download - TOR Installer

User "erick" downloaded tor-browser-windows-x86_64-portable-14.5.exe to Downloads folder

18:43:57

Process Execution - Silent Installation

TOR browser installed silently using /S flag for background installation

18:47:55

TOR Browser Launch

User opened TOR browser; firefox.exe and tor.exe processes spawned

18:48:13

TOR Network Connection

Connection established to IP 111.69.37.214 on port 9001 via tor.exe

18:51:13

Suspicious File Creation

File "tor-shopping-list.txt" created on desktop, indicating potential misuse

KQL Queries Used

File Events Query

DeviceFileEvents
| where DeviceName == "ec-win2"
| where InitiatingProcessAccountName == "erick"
| where FileName contains "tor"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256

Process Events Query

DeviceProcessEvents
| where DeviceName == "ec-win2"
| where FileName has_any ("tor.exe","firefox.exe", "tor-browser.exe")
| project Timestamp, DeviceName, AccountName, ActionType, FileName, ProcessCommandLine

Network Events Query

DeviceNetworkEvents
| where DeviceName == "ec-win2"
| where InitiatingProcessFileName in ("tor.exe","firefox.exe")
| where RemotePort in ("9001","9030","9040","9050","9051","9150","80","443")
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName

Response Taken

  • TOR usage was confirmed on endpoint "ec-win2" by user "erick"
  • Device was immediately isolated from the network
  • User's direct manager was notified of the policy violation
  • Incident documented for HR and security review