tor_connection_internal

Explanation

This event is triggered by Netography’s Fusion Portal when it detects a connection attempt to a known Tor entry node from an internal network device. Tor is often used to hide the origin of network traffic, and this may be indicative of malicious behavior, attempts to evade network use policy, or circumvention of other network controls.

What to Look For

If this activity is against internal policy, the detected endpoints should be examined for any applications or processes that may be attempting to use Tor. Tor entry traffic can use many different TCP ports, and may be hard to block at the network level.

Related MITRE ATT&CK Categories

Exfiltration Over C2 Channel, Technique T1041 - Enterprise

Proxy, Technique T1090 - Enterprise