Skip to content
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
[metadata]
creation_date = "2025/03/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/03/26"

[rule]
author = ["Elastic"]
description = """
This rule monitors for the unusual occurrence of outbound network connections to suspicious webservice domains.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*"]
language = "kuery"
license = "Elastic License v2"
name = "Unusual Network Connection to Suspicious Web Service"
risk_score = 47
rule_id = "b07f0fba-0a78-11f0-8311-b66272739ecb"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category : "network" and host.os.type : "macos" and event.type : "start" and
destination.domain : (
pastebin.* or
paste.ee or
ghostbin.com or
drive.google.com or
?.docs.live.net or
api.dropboxapi.* or
content.dropboxapi.* or
*dl.dropboxusercontent.* or
api.onedrive.com or
*.onedrive.org or
onedrive.live.com or
filebin.net or
*.ngrok.io or
ngrok.com or
*.portmap.* or
*serveo.net or
*localtunnel.me or
*pagekite.me or
*localxpose.io or
*notabug.org or
rawcdn.githack.* or
paste.nrecom.net or
zerobin.net or
controlc.com or
requestbin.net or
api.slack.com or
slack-redir.net or
slack-files.com or
cdn.discordapp.com or
discordapp.com or
discord.com or
apis.azureedge.net or
cdn.sql.gg or
?.top4top.io or
top4top.io or
uplooder.net or
*.cdnmegafiles.com or
transfer.sh or
updates.peer2profit.com or
api.telegram.org or
t.me or
meacz.gq or
rwrd.org or
*.publicvm.com or
*.blogspot.com or
api.mylnikov.org or
script.google.com or
script.googleusercontent.com or
paste4btc.com or
workupload.com or
temp.sh or
filetransfer.io or
gofile.io or
store?.gofile.io or
tiny.one or
api.notion.com or
*.sharepoint.com or
*upload.ee or
bit.ly or
t.ly or
cutt.ly or
mbasic.facebook.com or
api.gofile.io or
file.io or
api.anonfiles.com or
api.trello.com or
gist.githubusercontent.com or
dpaste.com or
*azurewebsites.net or
*.zulipchat.com or
*.4shared.com or
filecloud.me or
i.ibb.co or
files.catbox.moe or
*.getmyip.com or
mockbin.org or
webhook.site or
run.mocky.io or
*infinityfreeapp.com or
free.keep.sh or
tinyurl.com or
ftpupload.net or
lobfile.com or
*.ngrok-free.app or
myexternalip.com or
yandex.ru or
*.yandex.ru or
*.aternos.me or
cdn??.space or
*.pcloud.com or
mediafire.zip or
urlz.fr or
rentry.co or
*.b-cdn.net or
pastecode.dev or
i.imgur.com or
the.earth.li or
*.trycloudflare.com
)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique.subtechnique]]
id = "T1071.001"
name = "Web Protocols"
reference = "https://attack.mitre.org/techniques/T1071/001/"

[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"

[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"

[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "destination.domain"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"