Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Suspicious connection from a known TOR IP to an uncommon port.
Attacker's Goals
Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.
Investigative actions
Investigate the network configuration related to the participating port.
Investigate processes that were listening to that port.
Variations
Abnormal network communication through TOR using an uncommon port and App-idAbnormal network communication through TOR using a suspicious port