{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/anonymization/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TOR Browser","Brave Browser"],"_cs_severities":["medium"],"_cs_tags":["tor","proxy","anonymization","command-and-control","data-exfiltration","windows"],"_cs_type":"advisory","_cs_vendors":["The TOR Project","Brave"],"content_html":"\u003cp\u003eThis detection focuses on identifying the execution of the TOR browser and associated components on Windows systems. TOR can be used legitimately for privacy, research, and security testing, but its presence on enterprise endpoints is often anomalous. Threat actors may leverage TOR to anonymize command-and-control (C2) communications, facilitate data exfiltration, and bypass network monitoring. This analytic identifies \u0026quot;tor.exe\u0026quot; execution as well as processes running from the Brave Browser installation directory or any directory starting with \u0026quot;tor-\u0026quot;, indicative of a portable TOR browser installation. Early detection can help security teams identify potential malicious activity before sensitive data is compromised or further lateral movement occurs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows endpoint (e.g., via phishing or exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the TOR browser executable or a portable TOR client to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003etor.exe\u003c/code\u003e or runs the TOR client from a directory such as \u003ccode\u003e*\\BraveSoftware\\Brave-Browser*\u003c/code\u003e or \u003ccode\u003e*\\tor-*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe TOR client establishes an encrypted connection to the TOR network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the TOR browser or client to anonymize their network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the TOR network for command and control of malware, masking the origin of the C2 server.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate sensitive data through the TOR network, evading network-based data loss prevention (DLP) measures.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of TOR clients within an organization can lead to masked command-and-control activity, data exfiltration, and evasion of security policies. The presence of TOR may indicate a compromised host being used for malicious purposes or an insider threat attempting to exfiltrate sensitive data anonymously. The number of affected systems and the extent of the damage depend on the attacker's objectives and the organization's security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tor Executable Execution\u003c/code\u003e to detect the execution of tor.exe on endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tor Browser Path\u003c/code\u003e to detect the execution of TOR binaries from the Brave Browser or portable TOR installation paths.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the intent and scope of TOR usage (reference the Sigma rules above).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to known TOR entry nodes if possible (see references for lists of TOR nodes).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-windows-tor-client-execution/","summary":"Detects the execution of the TOR Browser and related components on Windows endpoints, indicating potential anonymization of traffic for command and control, data exfiltration, or policy evasion by adversaries or insider threats.","title":"Windows TOR Client Execution Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-windows-tor-client-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Anonymization","version":"https://jsonfeed.org/version/1.1"}