Tor Activity to the Internet
This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol
11that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by
12threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.
13"""
14false_positives = [
15 """
16 Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks
17 where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain
18 conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In
19 this case, such servers can be excluded if desired.
20 """,
21]
22from = "now-9m"
23index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Tor Activity to the Internet"
27risk_score = 47
28rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540"
29severity = "medium"
30tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and
36 source.ip:(10.0.0.0/8 or
37 172.16.0.0/12 or
38 192.168.0.0/16) and
39
40 not destination.ip:(10.0.0.0/8 or
41 127.0.0.0/8 or
42 169.254.0.0/16 or
43 172.16.0.0/12 or
44 192.168.0.0/16 or
45 224.0.0.0/4 or
46 "::1" or
47 "FE80::/10" or
48 "FF00::/8")
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1090"
56name = "Proxy"
57reference = "https://attack.mitre.org/techniques/T1090/"
58[[rule.threat.technique.subtechnique]]
59id = "T1090.003"
60name = "Multi-hop Proxy"
61reference = "https://attack.mitre.org/techniques/T1090/003/"
62
63
64
65[rule.threat.tactic]
66id = "TA0011"
67name = "Command and Control"
68reference = "https://attack.mitre.org/tactics/TA0011/"
Related rules
- FTP (File Transfer Protocol) Activity to the Internet
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- PPTP (Point to Point Tunneling Protocol) Activity
- Proxy Port Activity to the Internet
- SMTP to the Internet