Threat hunt: Unauthorized TOR usage
Conducted an in-depth threat hunt using Microsoft Defender and KQL to detect, analyze, and respond to unauthorized TOR browser usage within an enterprise environment.
Technologies Used
Key Features
Project Overview
This threat hunting initiative was launched in response to concerns about unauthorized access to restricted websites and unusual encrypted network traffic patterns. After employee reports indicated potential TOR browser usage to bypass security controls, I conducted a thorough investigation on workstation server-dev-01 to detect TOR installation and usage, assess security risks, and determine appropriate mitigation measures.
Technical Implementation
The investigation leveraged Windows 10 Virtual Machines in Microsoft Azure and Microsoft Defender for Endpoint as the EDR platform. I developed a multi-layered detection approach using Kusto Query Language (KQL) to analyze:
- File Event Analysis: Identified TOR installer downloads and related file activities
- Process Execution Analysis: Detected silent installation commands and TOR browser launches
- Network Connection Analysis: Discovered connections to known TOR exit nodes
The investigation confirmed that user cdoles.admin had downloaded, installed, and utilized TOR Browser on the workstation, establishing connections to known TOR nodes. In response, I immediately enforced endpoint isolation and escalated the incident to management.