Unusual Network Connection to Suspicious Web Service

Last updated 4 months ago on 2025-04-07

Created 5 months ago on 2025-03-26

About

This rule monitors for the unusual occurrence of outbound network connections to suspicious webservice domains.

Tags

Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

↳ Application Layer Protocol (T1071)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.network-*
Related Integrations: endpoint(opens in a new tab or window)
Query

event.category : "network" and host.os.type : "macos" and event.type : "start" and
destination.domain : (
    pastebin.* or
    paste.ee or
    ghostbin.com or
    drive.google.com or
    ?.docs.live.net or
    api.dropboxapi.* or
    content.dropboxapi.* or
    *dl.dropboxusercontent.* or
    api.onedrive.com or
    *.onedrive.org or
    onedrive.live.com or
    filebin.net or
    *.ngrok.io or
    ngrok.com or
    *.portmap.* or
    *serveo.net or
    *localtunnel.me or
    *pagekite.me or
    *localxpose.io or
    *notabug.org or
    rawcdn.githack.* or
    paste.nrecom.net or
    zerobin.net or
    controlc.com or
    requestbin.net or
    api.slack.com or
    slack-redir.net or
    slack-files.com or
    cdn.discordapp.com or
    discordapp.com or
    discord.com or
    apis.azureedge.net or
    cdn.sql.gg or
    ?.top4top.io or
    top4top.io or
    uplooder.net or
    *.cdnmegafiles.com or
    transfer.sh or
    updates.peer2profit.com or
    api.telegram.org or
    t.me or
    meacz.gq or
    rwrd.org or
    *.publicvm.com or
    *.blogspot.com or
    api.mylnikov.org or
    script.google.com or
    script.googleusercontent.com or
    paste4btc.com or
    workupload.com or
    temp.sh or
    filetransfer.io or
    gofile.io or
    store?.gofile.io or
    tiny.one or
    api.notion.com or
    *.sharepoint.com or
    *upload.ee or
    bit.ly or
    t.ly or
    cutt.ly or
    mbasic.facebook.com or
    api.gofile.io or
    file.io or
    api.anonfiles.com or
    api.trello.com or
    gist.githubusercontent.com or
    dpaste.com or
    *azurewebsites.net or
    *.zulipchat.com or
    *.4shared.com or
    filecloud.me or
    i.ibb.co or
    files.catbox.moe or
    *.getmyip.com or
    mockbin.org or
    webhook.site or
    run.mocky.io or
    *infinityfreeapp.com or
    free.keep.sh or
    tinyurl.com or
    ftpupload.net or
    lobfile.com or
    *.ngrok-free.app or
    myexternalip.com or
    yandex.ru or
    *.yandex.ru or
    *.aternos.me or
    cdn??.space or
    *.pcloud.com or
    mediafire.zip or
    urlz.fr or
    rentry.co or
    *.b-cdn.net or
    pastecode.dev or
    i.imgur.com or
    the.earth.li or
    *.trycloudflare.com
)

Install detection rules in Elastic Security

Detect Unusual Network Connection to Suspicious Web Service in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).