<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>The TOR Project - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/the-tor-project/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/the-tor-project/feed.xml" rel="self" type="application/rss+xml"/><item><title>Windows TOR Client Execution Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-windows-tor-client-execution/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-windows-tor-client-execution/</guid><description>Detects the execution of the TOR Browser and related components on Windows endpoints, indicating potential anonymization of traffic for command and control, data exfiltration, or policy evasion by adversaries or insider threats.</description><content:encoded><![CDATA[<p>This detection focuses on identifying the execution of the TOR browser and associated components on Windows systems. TOR can be used legitimately for privacy, research, and security testing, but its presence on enterprise endpoints is often anomalous. Threat actors may leverage TOR to anonymize command-and-control (C2) communications, facilitate data exfiltration, and bypass network monitoring. This analytic identifies &quot;tor.exe&quot; execution as well as processes running from the Brave Browser installation directory or any directory starting with &quot;tor-&quot;, indicative of a portable TOR browser installation. Early detection can help security teams identify potential malicious activity before sensitive data is compromised or further lateral movement occurs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Windows endpoint (e.g., via phishing or exploitation).</li>
<li>The attacker downloads the TOR browser executable or a portable TOR client to the compromised system.</li>
<li>The attacker executes <code>tor.exe</code> or runs the TOR client from a directory such as <code>*\BraveSoftware\Brave-Browser*</code> or <code>*\tor-*</code>.</li>
<li>The TOR client establishes an encrypted connection to the TOR network.</li>
<li>The attacker uses the TOR browser or client to anonymize their network traffic.</li>
<li>The attacker may use the TOR network for command and control of malware, masking the origin of the C2 server.</li>
<li>The attacker may exfiltrate sensitive data through the TOR network, evading network-based data loss prevention (DLP) measures.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful execution of TOR clients within an organization can lead to masked command-and-control activity, data exfiltration, and evasion of security policies. The presence of TOR may indicate a compromised host being used for malicious purposes or an insider threat attempting to exfiltrate sensitive data anonymously. The number of affected systems and the extent of the damage depend on the attacker's objectives and the organization's security posture.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect Tor Executable Execution</code> to detect the execution of tor.exe on endpoints.</li>
<li>Deploy the Sigma rule <code>Detect Tor Browser Path</code> to detect the execution of TOR binaries from the Brave Browser or portable TOR installation paths.</li>
<li>Investigate any alerts generated by these rules to determine the intent and scope of TOR usage (reference the Sigma rules above).</li>
<li>Monitor network traffic for connections to known TOR entry nodes if possible (see references for lists of TOR nodes).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>tor</category><category>proxy</category><category>anonymization</category><category>command-and-control</category><category>data-exfiltration</category><category>windows</category></item></channel></rss>