Suspicious API call from a Tor exit node

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Proxy: Multi-hop Proxy (T1090.003)

Severity

High

Description

A cloud API was called from a Tor exit node.

Attacker's Goals

Conceal information about malicious activities, such as location and network usage.

Investigative actions

Block all web traffic to and from public Tor entry and exit nodes.

Variations

Suspicious Kubernetes API call from a Tor exit node

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Proxy: Multi-hop Proxy (T1090.003)

Severity

High

Description

A Kubernetes API was called from a Tor exit node.

Attacker's Goals

Conceal information about malicious activities, such as location and network usage.

Investigative actions

Block all web traffic to and from public Tor entry and exit nodes.


A Failed API call from a Tor exit node

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Proxy: Multi-hop Proxy (T1090.003)

Severity

Informational

Description

A cloud API was called from a Tor exit node.

Attacker's Goals

Conceal information about malicious activities, such as location and network usage.

Investigative actions

Block all web traffic to and from public Tor entry and exit nodes.