tor_connection_external

Explanation

This event is triggered by Netography’s Fusion Portal when it detects traffic originating from a TOR network exit node communicating with monitored hosts. Traffic from the TOR network is not inherently malicious; however, attackers will commonly use the TOR network to hide the origin of other attacks. These attacks might include: password brute forcing, host or vulnerability discovery (scanning), or data exfiltration.

What to Look For

Scanning activity from the Internet is very common, and this event is not necessarily concerning or even malicious. Some things to investigate include: traffic to hosts not expected to be reachable from the Internet, lots of requests to a single host, a large volume of data leaving a single host.

Related MITRE ATT&CK Categories

Exfiltration Over C2 Channel, Technique T1041 - Enterprise

Proxy, Technique T1090 - Enterprise