Tor Activity to the Internet

edit

Detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user’s location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor’s identity and avoid detection.

Rule type: query

Rule indices:

  • filebeat-*
  • packetbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Network
  • Threat Detection
  • Command and Control

Version: 7 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.11.2

Rule authors: Elastic

Rule license: Elastic License

Potential false positives

edit

Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired.

Rule query

edit
event.category:(network or network_traffic) and network.transport:tcp
and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or
172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8
or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or
224.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 7 (7.11.2 release)
  • Formatting only
Version 6 (7.11.0 release)
  • Updated query, changed from:

    event.category:(network or network_traffic) and network.transport:tcp
    and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or
    172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or
    127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
Version 5 (7.10.0 release)
  • Formatting only
Version 4 (7.9.0 release)
  • Updated query, changed from:

    network.transport:tcp and destination.port:(9001 or 9030) and
    source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not
    destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
    192.168.0.0/16 or "::1")
Version 3 (7.7.0 release)
  • Updated query, changed from:

    network.transport: tcp and destination.port: (9001 or 9030) and (
    network.direction: outbound or ( source.ip: (10.0.0.0/8 or
    172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8
    or 172.16.0.0/12 or 192.168.0.0/16) ) )
Version 2 (7.6.1 release)
  • Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.