Threat Hunting with Microsoft Defender: Investigating Tor Browser Activity

🔎 Threat Hunting with Microsoft Defender: Investigating Tor Browser Activity

Threat hunting is one of the most valuable skills for a security analyst. Rather than waiting for alerts, analysts proactively search for suspicious activity hidden in telemetry data.

In this project, I conducted a threat hunt using Microsoft Defender XDR Advanced Hunting to investigate suspicious activity related to the Tor Browser on an endpoint.

The investigation confirmed that Tor was downloaded, installed, and used on the system, with network connections established to Tor relay infrastructure.

Let's walk through the investigation process step-by-step.

🎯 Investigation Overview

Investigation Objective

Identify whether the Tor Browser was installed or used on the endpoint and determine:

• When Tor was downloaded
• Whether it was executed
• If network connections to Tor infrastructure occurred
• What user artifacts were created during activity

🧠 Why Tor Activity Matters

Tor itself is not malicious, but it is often associated with:

🔐 Anonymous browsing
🕸 Dark web marketplace access
📤 Data exfiltration
🚫 Corporate security policy violations

For security teams, Tor usage can be a high-risk signal depending on the environment.

🔍 Threat Hunting Methodology

The investigation relied on Microsoft Defender Advanced Hunting and several telemetry tables:

The hunting workflow followed this sequence:

1️⃣ Identify Tor-related file downloads
2️⃣ Confirm installer execution
3️⃣ Detect Tor process creation
4️⃣ Identify network connections to Tor infrastructure
5️⃣ Investigate user artifacts created during activity

⏱ Timeline of Events

The investigation revealed the following timeline:

This sequence shows a complete activity chain from download to network communication.

📥 Step 1: Identifying Tor Downloads

The first step was to search for any file containing the string "tor".

DeviceFileEvents
| where DeviceName == "vm-hunt-tyo"
| where InitiatingProcessAccountName == "dan"
| where FileName startswith "tor"
| order by Timestamp desc

This query identified the download of: tor-browser-windows-x86_64-portable-15.0.7.exe

This installer was downloaded to the Downloads directory, marking the start of Tor activity.

⚙️ Step 2: Detecting Installer Execution

Next, I searched process execution logs to determine whether the installer was run.

DeviceProcessEvents
| where DeviceName == "vm-hunt-tyo"
| where ProcessCommandLine contains "tor-browser"

The logs confirmed that the installer was executed and triggered a silent installation.

🚀 Step 3: Detecting Tor Process Activity

To confirm that Tor was actually launched, I searched for the following processes:

tor.exe | firefox.exe (Tor Browser)

DeviceProcessEvents
| where FileName has_any ("tor.exe","firefox.exe")

The logs confirmed both processes were executed shortly after installation.

🌐 Step 4: Detecting Tor Network Connections

One of the strongest indicators of Tor activity is network communication with Tor relay nodes.

Tor commonly uses ports such as:

9001 | 9030 | 9050 | 9051 | 9150

The following query identified Tor network activity:

DeviceNetworkEvents
| where DeviceName == "vm-hunt-tyo"
| where InitiatingProcessFileName in ("tor.exe","firefox.exe")
| where RemotePort in ("9001","9030","9040","9050","9051","9150","80","443")

The endpoint established a connection to:

IP Address: 15.204.223.128 | Port: 9001 | Process: tor.exe

This confirms the system successfully connected to a Tor relay node.

📄 Step 5: Identifying User Artifacts

Later in the timeline, the following file was created on the Desktop: tor-shopping-list.txt

While the file contents were not analyzed in this investigation, its name suggests it may have been created during Tor browsing activity.

🚨 Indicators of Compromise (IOCs)

🧬 MITRE ATT&CK Mapping

The activity observed aligns with several MITRE ATT&CK techniques:

These techniques describe the download, execution, and encrypted communication behaviors observed during the investigation.

🛡 Security Assessment

This investigation confirmed:

• Tor Browser was downloaded
• Tor Browser was executed
• Tor processes ran on the endpoint
• The system connected to the Tor network

Although Tor is not inherently malicious, its presence in enterprise environments can indicate:

• Anonymous activity
• Attempts to bypass monitoring
• Possible policy violations

Organizations often monitor or restrict Tor usage as part of their security controls.

🔧 Recommended Security Controls

Endpoint Monitoring

Detect execution of: tor.exe

Application Control

Restrict installation of anonymizing tools such as:

• Tor Browser
• Proxy tunneling tools
• Network Controls

Consider blocking outbound connections to common Tor ports: 9001 | 9030 | 9050 | 9051 | 9150

🧾 Conclusion

This threat hunting investigation confirmed that the Tor Browser was downloaded, installed, and used on the endpoint, vm-hunt-tyo.

The browser successfully connected to Tor relay infrastructure, enabling anonymous communication through the Tor network.

While no additional malicious payloads were identified during this investigation, the presence of anonymizing tools may represent a security policy violation and potential risk within enterprise environments.

📥 Download the Executive Summary Report

👉 Tor Threat Hunting Summary Report (PDF)

🔗 Full report and supporting files available on GitHub

⚠️ Disclaimer: This project is a simulated threat hunting exercise created for educational and portfolio purposes. The environment, devices, and user accounts referenced are part of a controlled lab environment and do not represent real-world systems or individuals.

Thanks for reading! 🙏

If you're interested in security governance, GRC frameworks, or enterprise risk programs - feel free to connect with me on LinkedIn.

Feel free to reach out with questions or thoughts.