Skip to main content

Suspicious Tor DNS request

ID:tor_dns
Data type:DNS
Severity:
Medium
MITRE ATT&CK:TA0011:T1090.003

Description

AlphaSOC detected a DNS request for a destination associated with the Tor network, indicating the use of Tor proxies via clearnet. Tor proxies allow communication with the Tor network while appearing to the surface web as standard Internet traffic.

Impact

The use of the Tor proxies complicates incident response by obscuring the true origin of traffic. Threat actors may exploit this for malicious purposes, such as data exfiltration or command and control (C2) communications.

SeverityAdditional Condition
Medium
Tor DNS request

Investigation and Remediation

Identify the system initiating the Tor proxy-related DNS request to determine if the use is authorized. If unauthorized activity is confirmed, block communication with Tor entry points. Conduct a thorough security assessment to identify any potential compromises or data breaches.

Known False Positives

  • Employees may use Tor for browsing
  • Security tools or VPN services may trigger Tor-related DNS lookups
  • Malware analysis or threat intelligence platforms may generate Tor DNS requests as part of their operations
  • VPN services configured to route through Tor exit nodes