Skip to content

[New] Unusual Network Connection to Suspicious Top Level Domain #4563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mikaayenson merged 17 commits into from
Apr 3, 2025
Merged

[New] Unusual Network Connection to Suspicious Top Level Domain #4563

Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
560a0d0
[New] Unusual Network Connection to Suspicious Top Level Domain
DefSecSentinel Mar 25, 2025
34f78a0
update kql
DefSecSentinel Mar 25, 2025
b9cb437
Update rules/macos/command_and_control_unusual_connection_to_suspicio…
DefSecSentinel Mar 25, 2025
99f0f0c
Update rules/macos/command_and_control_unusual_connection_to_suspicio…
DefSecSentinel Mar 25, 2025
707928a
Merge branch 'main' into first-occurrence-network-connection-to-sus-TLD
DefSecSentinel Mar 26, 2025
97b6b8e
Update rules/macos/command_and_control_unusual_connection_to_suspicio…
DefSecSentinel Mar 26, 2025
1c629ef
Update rules/macos/command_and_control_unusual_connection_to_suspicio…
DefSecSentinel Mar 26, 2025
eb1655d
Update rules/macos/command_and_control_unusual_connection_to_suspicio…
DefSecSentinel Mar 26, 2025
8a27b45
Merge branch 'main' into first-occurrence-network-connection-to-sus-TLD
DefSecSentinel Mar 26, 2025
a26b22e
Merge branch 'main' into first-occurrence-network-connection-to-sus-TLD
DefSecSentinel Mar 26, 2025
a7e5742
Update rules/macos/command_and_control_unusual_connection_to_suspicio…
DefSecSentinel Mar 26, 2025
00d2a43
Update rules/macos/command_and_control_unusual_connection_to_suspicio…
DefSecSentinel Mar 26, 2025
2730370
Merge branch 'main' into first-occurrence-network-connection-to-sus-TLD
DefSecSentinel Mar 27, 2025
856d853
Merge branch 'main' into first-occurrence-network-connection-to-sus-TLD
DefSecSentinel Mar 28, 2025
fe6025d
Merge branch 'main' into first-occurrence-network-connection-to-sus-TLD
DefSecSentinel Apr 1, 2025
515653d
Update rule threat order
eric-forte-elastic Apr 3, 2025
38f95ac
Merge branch 'main' into first-occurrence-network-connection-to-sus-TLD
Mikaayenson Apr 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2025/03/25"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/03/25"

[rule]
author = ["Elastic"]
description = """
This rule monitors for the unusual occurrence of outbound network connections to suspicious top level domains.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*"]
language = "kuery"
license = "Elastic License v2"
name = "Unusual Network Connection to Suspicious Top Level Domain"
risk_score = 47
rule_id = "ffa676dc-09b0-11f0-94ba-b66272739ecb"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category : "network" and host.os.type : "macos" and event.type : "start" and
destination.domain : (*.team or *.lol or *.kr or *.ke or *.nu or *.space or
*.capital or *.in or *.cfd or *.online or *.ru or
*.info or *.top or *.buzz or *.xyz or *.rest or
*.ml or *.cf or *.gq or *.ga or *.onion or
*.network or *.monster or *.marketing or *.cyou or
*.quest or *.cc or *.bar or *.click or *.cam or
*.surf or *.tk or *.shop or *.club or *.icu or
*.pw or *.ws or *.hair or *.mom or
*.beauty or *.boats or *.fun or *.life or
*.store)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"

[[rule.threat.technique.subtechnique]]
id = "T1071.001"
name = "Web Protocols"
reference = "https://attack.mitre.org/techniques/T1071/001/"

[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"

[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "destination.domain"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
Loading