tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. because these ports are in the ephemeral range, this rule may false under certain conditions such as when a nated web server replies to a client which has used one of these ports by coincidence. in this case, such servers can be excluded if desired.

Techniques

T1090

Sample rules

Tor Activity to the Internet

source: elastic
technicques:
- T1090

Description

This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user’s location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor’s identity and avoid detection.

Detection logic

event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and
  source.ip:(10.0.0.0/8 or
             172.16.0.0/12 or
             192.168.0.0/16) and

  not destination.ip:(10.0.0.0/8 or
                      127.0.0.0/8 or
                      169.254.0.0/16 or
                      172.16.0.0/12 or
                      192.168.0.0/16 or
                      224.0.0.0/4 or
                      "::1" or
                      "FE80::/10" or
                      "FF00::/8")