Threat Research

TOR Exit Node Monitoring Overview

Elastic.co
TOR Exit Node Monitoring Overview

Monitoring TOR exit node activity helps detect anonymized reconnaissance, C2 communications, and data exfiltration that leverage TOR to hide attackers’ origins, and organizations can ingest TOR node data into Elastic via an ingest pipeline, index template, and Elastic-Agent or Filebeat integration. The guide provides step-by-step configuration (API request, ingest pipeline, index template, and agent policy) to surface TOR node activity for detection and correlation with Threat Intel rules. #TOR #Onionoo

Keypoints

  • TOR exit nodes are the final relays where encrypted TOR traffic exits to the open internet, exposing the exit node IP rather than the user IP.
  • Malicious actors use TOR for anonymized reconnaissance, command-and-control (C2) communications, and data exfiltration, increasing detection difficulty.
  • Monitoring should look for interactions between TOR exit nodes and IP fields such as host.ip, server.ip, destination.ip, source.ip, and client.ip across logs (firewall, DNS, proxies, endpoints, cloud).
  • Implementation requires creating an ingest pipeline and index template, then polling the TOR Onionoo API (recommended every 60 minutes) to collect node details.
  • Integration steps for Elastic include adding a Custom API integration in Fleet with dataset ti_tor.node_activity, ingest pipeline logs-ti_tor.node_activity, and the specified Onionoo Request URL and interval.
  • Filebeat can be used as an alternative ingestion method by adding the provided filebeat.inputs configuration and the same ingest pipeline and index template.
  • Once ingested, TOR node data is available in Discover for rules, visualizations, dashboards, and can be used with Threat Intel IP Address Indicator Match rules and geo-based map visualizations in Kibana.

MITRE Techniques

  • [T1592] Gather Victim Network Information – Attackers perform anonymized reconnaissance and network scanning via TOR exit nodes to map infrastructure (“Anonymized Reconnaissance: Attackers often perform scans and probes from TOR exit nodes”).
  • [T1071] Application Layer Protocol – TOR is used as a channel for command-and-control communications by malware families (“Command and Control (C2) Channels: Many malware families use TOR for C2 communications”).
  • [T1041] Exfiltration Over C2 Channel – TOR is used to exfiltrate sensitive data out of an organization (“Data Exfiltration: TOR is a common channel for exfiltrating sensitive data out of an organization”).

Indicators of Compromise

  • [IP Addresses] TOR exit node IPs observed via Onionoo API – example: exit node IPs returned in API fields (and many other exit node IPs discovered via periodic polling).
  • [API Endpoint / URL] Data source for node details – https://onionoo.torproject.org/details?fields=exit_addresses,… (used as the Request URL for periodic collection).
  • [Index/Dataset Names] Elastic ingestion identifiers used for detection – ti_tor.node_activity dataset, logs-ti_tor.node_activity ingest pipeline (used to store and parse TOR node data).
  • [Log Fields] Log field contexts to monitor for TOR interactions – host.ip, server.ip, destination.ip, source.ip, client.ip (watch these in firewall, DNS, proxy, endpoint, and cloud logs).

Read more: https://www.elastic.co/security-labs/tor-exit-node-monitoring

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint