Suspicious Tor DNS request
Description
AlphaSOC detected a DNS request for a destination associated with the Tor network, indicating the use of Tor proxies via clearnet. Tor proxies allow communication with the Tor network while appearing to the surface web as standard Internet traffic.
Impact
The use of the Tor proxies complicates incident response by obscuring the true origin of traffic. Threat actors may exploit this for malicious purposes, such as data exfiltration or command and control (C2) communications.
Severity | Additional Condition |
---|---|
Medium | Tor DNS request |
Investigation and Remediation
Identify the system initiating the Tor proxy-related DNS request to determine if the use is authorized. If unauthorized activity is confirmed, block communication with Tor entry points. Conduct a thorough security assessment to identify any potential compromises or data breaches.
Known False Positives
- Employees may use Tor for browsing
- Security tools or VPN services may trigger Tor-related DNS lookups
- Malware analysis or threat intelligence platforms may generate Tor DNS requests as part of their operations
- VPN services configured to route through Tor exit nodes