wwilsonmd/threat-hunting-scenario-tor

GitHub: wwilsonmd/threat-hunting-scenario-tor

一份基于 Microsoft Defender XDR 的威胁狩猎案例,演示如何通过 KQL 与事件调查发现并分析未经授权的 TOR 使用。

Stars: 0 | Forks: 0

# 🛡️ 威胁狩猎案例研究:未经授权的 TOR 使用 ![状态](https://img.shields.io/badge/Status-Completed-success) ![平台](https://img-shields.io/badge/Platform-Microsoft%20Defender%20XDR-blue) ![重点](https://img-shields.io/badge/Focus-Threat%20Hunting-orange) ![MITRE](https://img-shields.io/badge/MITRE-T1090.003-red) ## 📖 概述 本项目记录了一次真实的 **威胁狩猎调查**,其中可疑的加密流量导致发现企业端点上存在 **未经授权的 TOR 浏览器使用**。 ## 🎯 场景 管理层怀疑员工使用匿名化工具绕过网络限制,原因包括: - 异常的加密流量模式 - 连接到已知的 TOR 节点 - 匿名内部报告 ## 🧠 展示的技能 - 威胁狩猎(Microsoft Defender XDR) - Kusto 查询语言(KQL) - 事件调查与时间线分析 - IOC 开发 - MITRE ATT&CK 映射 - 蓝队检测工程 ## 🔍 调查总结 | 类别 | 发现 | |------|------| | 初始访问 | 下载了 TOR 安装程序 | | 执行 | 使用 `/S` 标志静默安装 | | 持久化 | 桌面上的便携式 TOR 浏览器 | | 活动 | 多个 TOR 进程被执行 | | C2 通信 | 连接到 TOR 中继(端口 9001) | ## 🧪 使用的 KQL 查询 ### 📁 文件发现 ``` DeviceFileEvents | where DeviceName == "michael-windows" | where InitiatingProcessAccountName == "labuser" | where FileName contains "tor" | where Timestamp >= datetime(2026-03-05 21:35:48) | order by Timestamp desc ⚙️ Process Execution Detection DeviceProcessEvents | where DeviceName == "michael-windows" | where ProcessCommandLine contains "tor-browser-windows-x86_64-portable-15.0.7.exe" 🧠 TOR Process Activity DeviceProcessEvents | where FileName has_any ("tor.exe", "firefox.exe", "start-tor-browser.exe") | order by Timestamp desc 🌐 Network Detection DeviceNetworkEvents | where RemotePort in ("9001","9030","9050","9150","443") | where InitiatingProcessFileName == "tor.exe" 🧾 Indicators of Compromise (IOCs) 🔑 File Hashes 958626901dbe17fc003ed671b61b3656375e6f0bc06c9dff60bd2f80d4ace21b 5d7797c72d7eae405d6b2054d94c53494861eb1169d8a1b276775aa48dc94fd7 🌐 Network Indicators IP Address: 78.31.250.68 Port: 9001 Domain: https://www.y4rfgxj4ds6tlrlho.com 📂 Suspicious Paths C:\Users\labuser\Downloads\tor-browser-windows-x86_64-portable-15.0.7.exe C:\Users\labuser\Desktop\Tor Browser\ 🕒 Attack Timeline 21:35:48 - TOR files appear on system 21:40:21 - Installer executed 21:52:41 - Silent install (/S flag) 21:53:59 - TOR browser launched 21:54:03 - tor.exe starts 21:55:53 - External TOR connection established 22:10:40 - Continued TOR activity 🧠 MITRE ATT&CK Mapping Technique ID Description Multi-hop Proxy (TOR) T1090.003 Anonymous communication Defense Evasion T1564 Silent installation Execution T1059 Process execution C2 Communication T1071 Encrypted traffic ⚠️ Risk Analysis 🔒 Bypasses network monitoring controls 📤 Potential data exfiltration channel 🕵️ Indicates intentional evasion behavior 🚫 Violates corporate security policy 🛠️ Response Actions ✅ Endpoint isolated ✅ Activity confirmed ✅ Management notified 🔐 Detection & Prevention Recommendations Detection Engineering Alert on: tor.exe execution Silent installs (/S) TOR ports (9001–9152) Network Controls Block TOR-related ports: 9001, 9030, 9050–9152 Endpoint Hardening Application allowlisting Restrict portable executable execution 🚀 Key Takeaways TOR usage can be detected through endpoint + network correlation Silent installs are a strong defense evasion indicator Combining process + network telemetry is critical for attribution 📎 Source Data See original investigation notes in this repository. --- ```
标签:C2 通信, Cloudflare, EDR, IOC 开发, KQL, Kusto 查询语言, Microsoft Defender XDR, MITRE ATT&CK, PB级数据处理, T1090, TOR, 事件调查, 加密流量分析, 匿名网络, 威胁情报, 安全运维, 开发者工具, 横向移动, 端口 9001, 端点检测与响应, 编程规范, 网络隔离绕过, 脆弱性评估, 脱壳工具