Tor Activity to the Internet
editTor Activity to the Internet
editDetects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user’s location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor’s identity and avoid detection.
Rule type: query
Rule indices:
- filebeat-*
- packetbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Network
- Threat Detection
- Command and Control
Version: 7 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editTor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired.
Rule query
editevent.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8")
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Proxy
- ID: T1090
- Reference URL: https://attack.mitre.org/techniques/T1090/
Rule version history
edit- Version 7 (7.11.2 release)
-
- Formatting only
- Version 6 (7.11.0 release)
-
-
Updated query, changed from:
event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
-
- Version 5 (7.10.0 release)
-
- Formatting only
- Version 4 (7.9.0 release)
-
-
Updated query, changed from:
network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
-
- Version 3 (7.7.0 release)
-
-
Updated query, changed from:
network.transport: tcp and destination.port: (9001 or 9030) and ( network.direction: outbound or ( source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ) )
-
- Version 2 (7.6.1 release)
-
- Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.