Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Back to all detections

TOR Activity

TOR Activity
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

The TOR activity detection identifies the use of TOR (The Onion Router) network services within an organization's network. While TOR can be used for legitimate purposes, it is often employed by malicious actors to anonymize their activities, including data exfiltration, command and control (C2) communication, and accessing unauthorized content. Detecting TOR activity is crucial for identifying potential security threats and preventing misuse of anonymization services.

Triggers

  • An internal host establishes connections with outside servers where protocol usage approximates communicating via The Onion Router (TOR)
  • The algorithm inspects the protocol handshake of each session and triggers if characteristics of the session setup are similar to those observed in TOR connections

Possible Root Causes

  • A targeted attack is utilizing TOR to hide communications with command and control servers or to exfiltrate your organization’s data
  • An infected host which is part of a botnet is utilizing TOR to communicate with its command and control servers or to leak small amounts of stolen data
  • A user is utilizing a TOR-enabled program to anonymously communicate with servers available on the Internet or ones available only through TOR

Business Impact

  • The use of TOR as part of a targeted attack is meant to slip by most standard perimeter defenses and indicates attacker sophistication
  • The use of TOR as part of a botnet is relatively rare and would indicate a more sophisticated botnet
  • The intentional use of TOR by employees may be allowed, but it does represent significant risk as the intention of TOR is to mask traffic source and destination

Steps to Verify

  • Ask the user of the host whether they are using TOR for any purpose
  • Check to see if any TOR-enabled software is installed on the host
  • Check the TOR entry nodes listed in the detection against lists of known TOR entry nodes (e.g., search for “tor entry node list”), but note that these lists are seldom complete and shift over time
TOR Activity

Possible root causes

Malicious Detection

  • An attacker using TOR to anonymize their activities within the network, such as data exfiltration or command and control communication.
  • Malware on an internal host communicating with external C2 servers via the TOR network.
  • Unauthorized users accessing the TOR network to bypass security controls and access restricted content.

    • Benign Detection

  • Security researchers or IT personnel using TOR for legitimate research or testing purposes.
  • Employees using TOR to protect their privacy while browsing the internet.
  • Applications configured to use TOR for anonymization and data protection.
    • TOR Activity

    Example scenarios

    Scenario 1: An internal host establishes multiple outbound connections to known TOR entry nodes. Investigation reveals that the host is compromised, and the attacker is using TOR to anonymize C2 communications and exfiltrate data.

    Scenario 2: A sudden increase in encrypted network traffic is detected, with connections to uncommon IP addresses. Further analysis indicates that a security researcher within the organization was using TOR for legitimate testing purposes, causing the detection to trigger.

    TOR Activity

    Business impact

    If this detection indicates a genuine threat, the organization faces significant risks:

    Data Exfiltration

    TOR activity can be used to exfiltrate sensitive data from the organization, leading to potential financial and reputational damage.

    Anonymized Malicious Activity

    Attackers can use TOR to maintain anonymity, making it difficult to trace their actions and preventing timely threat response.

    Policy Violations

    Unauthorized use of TOR may violate company policies and regulatory requirements, leading to compliance issues.

    TOR Activity

    Steps to investigate

    Analyze Network Traffic Logs

    Review logs for connections to known TOR entry nodes and IP addresses associated with the TOR network. Focus on identifying the source of the TOR activity.

    Identify the Source

    Determine the internal host generating the TOR traffic. Verify if the host and user are authorized to use TOR.

    Check for Associated Activity

    Look for other signs of compromise or related suspicious behavior, such as unusual data transfers, malware alerts, or unauthorized access attempts.

    Consult with IT and Security Teams

    Confirm if any legitimate research, testing, or authorized use of TOR could explain the detected activity.

    TOR Activity

    MITRE ATT&CK techniques covered

    Proxy

    T1090
    TOR Activity

    Related detections

    Internal Darknet Scan

    Peer-To-Peer

    File Share Enumeration

    See our detections in action

    Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

    Don't just read about the possibilities – experience them.

    Launch the free tour
    Ask for a custom demo

    FAQs

    What does TOR activity mean?

    TOR Activity defines an action that involves the use of the TOR network to anonymize internet traffic, often used by malicious actors to hide their activities, including data exfiltration and command and control communication.

    What are the common signs of TOR Activity?

    Common signs include connections to TOR entry nodes, unusual encrypted traffic patterns, and spikes in outbound connections to uncommon IP addresses.

    How can I distinguish between legitimate and malicious TOR Activity?

    Distinguishing between legitimate and malicious TOR activity involves understanding normal usage patterns and context. Legitimate use typically follows predictable patterns and originates from known, trusted sources.

    How does Vectra AI identify TOR Activity?

    Vectra AI uses advanced AI algorithms and machine learning to analyze network traffic patterns and identify anomalies indicative of TOR usage.

    What is the business impact of TOR Activity?

    It can lead to data exfiltration, anonymized malicious activity, and policy violations, resulting in financial and reputational damage.

    How can I detect TOR Activity in my network?

    Detect TOR Activity by monitoring for connections to known TOR entry nodes, unusual patterns of encrypted traffic, and outbound connections to IP addresses associated with the TOR network.

    Why is TOR Activity a significant threat?

    It can be used for data exfiltration, anonymized malicious activity, and policy violations, making it difficult to trace and respond to threats effectively.

    What steps should I take if I detect TOR Activity?

    Investigate the source and scope of the TOR traffic, check for signs of compromise, review network traffic logs, and consult with IT and security teams to verify if the activity is legitimate.

    What should I look for in network traffic logs to identify TOR Activity?

    Look for patterns such as connections to known TOR entry nodes, unusual encrypted traffic, and spikes in outbound connections to uncommon IP addresses.

    How can I prevent unauthorized TOR Activity?

    Implement robust network monitoring and alerting, enforce strict access controls, block known TOR entry nodes, and educate employees about acceptable use policies.