Profile

Steven Bealle

Cybersecurity Analyst

Threat Event (Unauthorized TOR Usage)

Unauthorized TOR Browser Installation and Use

Tor Browser Network Connection

Table of Contents

️ Steps the "Bad Actor" took to Create Logs and IoCs:

  1. Download the TOR browser installer: https://www.torproject.org/download/
  2. Install it silently: tor-browser-windows-x86_64-portable-15.0.6.exe /S
    (Note: the above command may need to change depending on the current version of the download)
  3. Opens the TOR browser from the folder on the desktop.
  4. Connect to TOR and browse a few sites.
  5. Create a folder on your desktop called tor-shopping-list.txt and put a few fake (illicit) items in there.
  6. Delete the file.

Tables Used to Detect IoCs:

Name DeviceFileEvents
Info Microsoft Defender Reference
Purpose Used for detecting TOR download and installation, as well as the shopping list creation and deletion.
Name DeviceProcessEvents
Info Microsoft Defender Reference
Purpose Used to detect the silent installation of TOR as well as the TOR browser and service launching.
Name DeviceNetworkEvents
Info Microsoft Defender Reference
Purpose Used to detect TOR network activity, specifically tor.exe and firefox.exe making connections over ports to be used by TOR (9001, 9030, 9040, 9050, 9051, 9150).

Related Queries (KQL)

The following Kusto Query Language (KQL) scripts were utilized to hunt for the Indicators of Compromise (IoCs) generated during the event.

KQL: Detect the installer being downloaded 
// Installer name == tor-browser-windows-x86_64-portable-(version).exe
DeviceFileEvents
| where FileName startswith "tor"
KQL: Detect TOR Browser being silently installed 
// Take note of two spaces before the /S 
DeviceProcessEvents
| where ProcessCommandLine contains "tor-browser-windows-x86_64-portable-15.0.6.exe  /S"
| project Timestamp, DeviceName, ActionType, FileName, ProcessCommandLine
KQL: Verify TOR Browser or service was successfully installed on disk 
DeviceFileEvents
| where FileName has_any ("tor.exe", "firefox.exe")
| project  Timestamp, DeviceName, RequestAccountName, ActionType, InitiatingProcessCommandLine
KQL: Detect TOR Browser or service being launched 
DeviceProcessEvents
| where ProcessCommandLine has_any("tor.exe","firefox.exe")
| project  Timestamp, DeviceName, AccountName, ActionType, ProcessCommandLine
KQL: Detect active TOR network connections 
// TOR Browser or service is being used and is actively creating network connections
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("tor.exe", "firefox.exe")
| where RemotePort in (9001, 9030, 9040, 9050, 9051, 9150)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
| order by Timestamp desc
KQL: Detect Shopping List Creation/Deletion 
// User shopping list was created, changed, or deleted
DeviceFileEvents
| where FileName contains "shopping list.txt"

Project Metadata & Revision History

Created By:

Validated By:

  • Reviewer Name: Pending
  • Reviewer Contact: Pending
  • Validation Date: Pending

Revision History

Version Changes Date Modified By
1.0 Initial draft 2026-02-16 Steven Bealle