internal_tor

Explanation

This event is triggered by Netography’s Fusion Portal when it detects a Tor node on the customer network. Tor is a proxy protocol that is used to hide the origin of network traffic. An unauthorized Tor node running on your network could be an indicator of compromise.

What to Look For

If this activity is against internal policy, the detected endpoints should be examined for any applications or processes that may be involved with running the Tor protocol.

Related MITRE ATT&CK Categories

Proxy, Technique T1090 - Enterprise