Tor Activity to the Internet

calendar Apr 21, 2021 · Elastic Host Network Threat Detection Command and Control  ·
Share on: linkedin copy

This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3deprecation_date = "2021/04/15"
 4maturity = "deprecated"
 5updated_date = "2021/04/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol
11that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by
12threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.
13"""
14false_positives = [
15    """
16    Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks
17    where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain
18    conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In
19    this case, such servers can be excluded if desired.
20    """,
21]
22from = "now-9m"
23index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Tor Activity to the Internet"
27risk_score = 47
28rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540"
29severity = "medium"
30tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and
36  source.ip:(10.0.0.0/8 or
37             172.16.0.0/12 or
38             192.168.0.0/16) and
39
40  not destination.ip:(10.0.0.0/8 or
41                      127.0.0.0/8 or
42                      169.254.0.0/16 or
43                      172.16.0.0/12 or
44                      192.168.0.0/16 or
45                      224.0.0.0/4 or
46                      "::1" or
47                      "FE80::/10" or
48                      "FF00::/8")
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1090"
56name = "Proxy"
57reference = "https://attack.mitre.org/techniques/T1090/"
58[[rule.threat.technique.subtechnique]]
59id = "T1090.003"
60name = "Multi-hop Proxy"
61reference = "https://attack.mitre.org/techniques/T1090/003/"
62
63
64
65[rule.threat.tactic]
66id = "TA0011"
67name = "Command and Control"
68reference = "https://attack.mitre.org/tactics/TA0011/"

Related rules

to-top