network where host.os.type == "windows" and
dns.question.name != null and process.name != null and
not (?user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") or user.domain == "NT AUTHORITY") and
/* Add new WebSvc domains here */
dns.question.name :
(
"raw.githubusercontent.*",
"pastebin.*",
"paste4btc.com",
"paste.ee",
"ghostbin.com",
"drive.google.com",
"?.docs.live.net",
"api.dropboxapi.*",
"content.dropboxapi.*",
"dl.dropboxusercontent.*",
"api.onedrive.com",
"*.onedrive.org",
"onedrive.live.com",
"filebin.net",
"*.ngrok.io",
"ngrok.com",
"*.portmap.*",
"*serveo.net",
"*localtunnel.me",
"*pagekite.me",
"*localxpose.io",
"*notabug.org",
"rawcdn.githack.*",
"paste.nrecom.net",
"zerobin.net",
"controlc.com",
"requestbin.net",
"slack.com",
"api.slack.com",
"slack-redir.net",
"slack-files.com",
"cdn.discordapp.com",
"discordapp.com",
"discord.com",
"apis.azureedge.net",
"cdn.sql.gg",
"?.top4top.io",
"top4top.io",
"www.uplooder.net",
"*.cdnmegafiles.com",
"transfer.sh",
"gofile.io",
"updates.peer2profit.com",
"api.telegram.org",
"t.me",
"meacz.gq",
"rwrd.org",
"*.publicvm.com",
"*.blogspot.com",
"api.mylnikov.org",
"file.io",
"stackoverflow.com",
"*files.1drv.com",
"api.anonfile.com",
"*hosting-profi.de",
"ipbase.com",
"ipfs.io",
"*up.freeo*.space",
"api.mylnikov.org",
"script.google.com",
"script.googleusercontent.com",
"api.notion.com",
"graph.microsoft.com",
"*.sharepoint.com",
"mbasic.facebook.com",
"login.live.com",
"api.gofile.io",
"api.anonfiles.com",
"api.notion.com",
"api.trello.com",
"gist.githubusercontent.com",
"files.pythonhosted.org",
"g.live.com",
"*.zulipchat.com",
"webhook.site",
"run.mocky.io",
"mockbin.org",
"www.googleapis.com",
"googleapis.com",
"global.rel.tunnels.api.visualstudio.com",
"*.devtunnels.ms",
"api.github.com") and
/* Insert noisy false positives here */
not (
(
process.executable : (
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"?:\\Users\\*\\AppData\\Local\\BraveSoftware\\*\\Application\\brave.exe",
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Opera*\\opera.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
"?:\\Users\\*\\AppData\\Local\\PowerToys\\PowerToys.exe",
"?:\\Users\\*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe",
"?:\\Users\\*\\AppData\\Local\\Zen Browser\\zen.exe",
"?:\\Users\\*\\Wavesor Software\\WaveBrowser\\wavebrowser.exe",
"?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
"?:\\Windows\\system32\\mobsync.exe",
"?:\\Windows\\SysWOW64\\mobsync.exe",
"?:\\Windows\\system32\\svchost.exe",
"?:\\Windows\\System32\\smartscreen.exe",
"?:\\Windows\\System32\\wsl.exe",
"?:\\Windows\\System32\\WWAHost.exe"
)
) or
/* Discord App */
(process.name : "Discord.exe" and (process.code_signature.subject_name : "Discord Inc." and
process.code_signature.trusted == true) and dns.question.name : ("discord.com", "cdn.discordapp.com", "discordapp.com")
) or
/* MS Sharepoint / OneDrive */
(process.name : ("Microsoft.SharePoint.exe", "OneDrive.Sync.Service.exe") and dns.question.name : "onedrive.live.com" and
(process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
) or
/* Obsidian - Plugins are stored on raw.githubusercontent.com */
(process.name : "Obsidian.exe" and (process.code_signature.subject_name : "Dynalist Inc" and
process.code_signature.trusted == true) and dns.question.name : "raw.githubusercontent.com"
) or
/* WebExperienceHostApp */
(process.name : "WebExperienceHostApp.exe" and (process.code_signature.subject_name : "Microsoft Windows" and
process.code_signature.trusted == true) and dns.question.name : ("onedrive.live.com", "skyapi.onedrive.live.com")
) or
/* IntelliJ IDEA connecting to raw.githubusercontent.com */
(process.code_signature.subject_name : "JetBrains s.r.o." and
process.code_signature.trusted == true and dns.question.name : ("api.github.com", "raw.githubusercontent.com")
) or
(process.code_signature.subject_name : "Microsoft *" and process.code_signature.trusted == true and
dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com")
) or
(process.code_signature.subject_name : "Python Software Foundation" and process.code_signature.trusted == true and
dns.question.name : "files.pythonhosted.org") or
/* Zoom */
(process.name : "Zoom.exe" and (process.code_signature.subject_name : "Zoom Video Communications, Inc." and
process.code_signature.trusted == true) and dns.question.name : ("www.googleapis.com", "graph.microsoft.com")
) or
/* VSCode */
(process.name : "Code.exe" and (process.code_signature.subject_name : "Microsoft Corporation" and
process.code_signature.trusted == true) and dns.question.name : ("api.github.com", "raw.githubusercontent.com")
) or
/* Terraform */
(process.name : "terraform-provider*.exe" and (process.code_signature.subject_name : "HashiCorp, Inc." and
process.code_signature.trusted == true) and dns.question.name : "graph.microsoft.com"
) or
(
process.code_signature.trusted == true and
process.code_signature.subject_name : (
"Johannes Schindelin",
"Redis Inc.",
"Slack Technologies, LLC",
"Cisco Systems, Inc.",
"Dropbox, Inc",
"Amazon.com Services LLC",
"Island Technology Inc.",
"GitHub, Inc.",
"Red Hat, Inc",
"Mozilla Corporation"
)
)
)
Install detection rules in Elastic Security
Detect Connection to Commonly Abused Web Services in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).