🔐Threat Hunting Case Study: Unauthorized TOR Usage

Posted byJoseph JohnsonPosted inSecurity ProjectsTags:, , , ,

🕵️Implementing a Hypothesis-Driven Threat Hunt for TOR Activity

Detecting, investigating, and responding to unauthorized anonymous browsing using endpoint telemetry.

Executive Summary

This case study documents a hypothesis-driven threat hunt conducted to identify unauthorized TOR browser usage within an enterprise environment. Management suspected that employees were bypassing network controls due to unusual encrypted traffic patterns and anonymous internal reports. Using Microsoft Defender for Endpoint and KQL, endpoint telemetry was correlated across file, process, and network events to confirm TOR installation, execution, and network activity. The investigation concluded with validated policy violations and incident response actions.

  • Role: Security Analyst
  • Environment: Azure-hosted Windows 11 endpoints
  • EDR Platform: Microsoft Defender for Endpoint
  • Tools & Languages: KQL, PowerShell
  • Focus Area: Threat Hunting, Incident Response
  • Outcome: Confirmed TOR usage and endpoint isolation

The Problem

Management suspected that employees were using TOR browsers to bypass network security controls. Network logs showed unusual encrypted traffic patterns and connections to known TOR entry nodes. Additionally, anonymous internal reports suggested employees were discussing methods to access restricted websites during work hours. The objective was to determine whether TOR usage was occurring and assess any associated risk.

Constraints & Assumptions

  • No existing alerts specifically detecting TOR usage
  • Investigation limited to endpoint telemetry
  • Legitimate encrypted traffic existed in the environment, increasing noise
  • Hunt required confirmation of both installation and active usage

Hunt Hypothesis

If employees are using the TOR browser, endpoint telemetry should show evidence of TOR-related file creation, process execution, and network connections to known TOR ports.

Investigation & Technical Execution

The threat hunt was conducted using Microsoft Defender for Endpoint by querying multiple telemetry sources to identify indicators of TOR usage.

File Activity Analysis

The DeviceFileEvents table was queried to identify files containing TOR-related strings. This revealed the download of a TOR browser installer, the creation of multiple TOR-related files on the desktop, and the presence of a suspicious text file indicating potential user activity related to TOR usage.

Process Execution Analysis

The DeviceProcessEvents table was analyzed to confirm execution of the TOR browser installer and subsequent TOR-related processes. Logs showed the installer executed in silent mode, followed by execution of firefox.exe and tor.exe, confirming successful installation and launch of the TOR browser.

Network Activity Analysis

The DeviceNetworkEvents table was queried for connections initiated by TOR-related processes over known TOR ports. This confirmed outbound connections to external TOR nodes, validating active TOR network usage from the endpoint.

Chronological Timeline Reconstruction

  • TOR installer downloaded to the endpoint by the user
  • Silent installation executed, indicating intentional installation
  • TOR browser launched, spawning TOR-related processes
  • Outbound TOR network connections established
  • User-created TOR-related file detected on the desktop

This sequence confirmed deliberate installation and active usage rather than accidental execution.

Results & Findings

  • Confirmed unauthorized TOR browser installation
  • Verified active TOR network connections
  • Identified clear policy violations
  • Correlated file, process, and network telemetry into a single timeline

Response & Outcome

Following confirmation of TOR usage, the affected endpoint was isolated to prevent further anonymous network activity. Management and the user’s direct supervisor were notified, and the incident was documented for policy enforcement and future detection improvements.

Detection Improvements & Hardening

Based on findings from the hunt, several detection opportunities were identified:

  • Alerting on TOR-related binaries (tor.exe, TOR Firefox variants)
  • Monitoring silent installer execution flags
  • Correlating endpoint process execution with TOR network port usage
  • Establishing baseline alerts for anonymous network tools

Lessons Learned

  • Hypothesis-driven hunts reduce investigative noise
  • Correlating multiple telemetry sources is critical for confirmation
  • TOR usage is detectable even when traffic is encrypted
  • Threat hunting directly informs better detection engineering
View GitHub Repository
Back to Projects

Leave a comment