Threat Event (Unauthorized TOR Usage)
Unauthorized TOR Browser Installation and Use
Steps the "Bad Actor" took Create Logs and IoCs:
-
Download the TOR browser installer: https://www.torproject.org/download/
-
Install it silently:
tor-browser-windows-x86_64-portable-14.0.1.exe /S -
Opens the TOR browser from the folder on the desktop
-
Connect to TOR and browse a few sites. For example:
- WARNING: The links to onion sites change a lot and these have changed. However if you connect to Tor and browse around normal sites a bit, the necessary logs should still be created:
- Current Dread Forum:
dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion - Dark Markets Forum:
dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/d/DarkNetMarkets - Current Elysium Market:
elysiumutkwscnmdohj23gkcyp3ebrf4iio3sngc5tvcgyfp4nqqmwad.top/login
-
Create a folder on your desktop called
tor-shopping-list.txtand put a few fake (illicit) items in there -
Delete the file.
Tables Used to Detect IoCs:
| Parameter | Description |
|---|---|
| Name | DeviceFileEvents |
| Info | https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceinfo-table |
| Purpose | Used for detecting TOR download and installation, as well as the shopping list creation and deletion. |
| Parameter | Description |
|---|---|
| Name | DeviceProcessEvents |
| Info | https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceinfo-table |
| Purpose | Used to detect the silent installation of TOR as well as the TOR browser and service launching. |
| Parameter | Description |
|---|---|
| Name | DeviceNetworkEvents |
| Info | https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table |
| Purpose | Used to detect TOR network activity, specifically tor.exe and firefox.exe making connections over ports to be used by TOR (9001, 9030, 9040, 9050, 9051, 9150). |
Related Queries:
// Installer name == tor-browser-windows-x86_64-portable-(version).exe
// Detect the installer being downloaded
DeviceFileEvents
| where FileName startswith "tor"
// TOR Browser being silently installed
// Take note of two spaces before the /S (I don't know why)
DeviceProcessEvents
| where ProcessCommandLine contains "tor-browser-windows-x86_64-portable-14.0.1.exe /S"
| project Timestamp, DeviceName, ActionType, FileName, ProcessCommandLine
// TOR Browser or service was successfully installed and is present on the disk
DeviceFileEvents
| where FileName has_any ("tor.exe", "firefox.exe")
| project Timestamp, DeviceName, RequestAccountName, ActionType, InitiatingProcessCommandLine
// TOR Browser or service was launched
DeviceProcessEvents
| where ProcessCommandLine has_any("tor.exe","firefox.exe")
| project Timestamp, DeviceName, AccountName, ActionType, ProcessCommandLine
// TOR Browser or service is being used and is actively creating network connections
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("tor.exe", "firefox.exe")
| where RemotePort in (9001, 9030, 9040, 9050, 9051, 9150)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
| order by Timestamp desc
// User shopping list was created and, changed, or deleted
DeviceFileEvents
| where FileName contains "shopping-list.txt"