Unusual Network Connection to Suspicious Top Level Domain

Last updated 4 months ago on 2025-04-07

Created 5 months ago on 2025-03-25

About

This rule monitors for the unusual occurrence of outbound network connections to suspicious top level domains.

Tags

Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

↳ Application Layer Protocol (T1071)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.network-*
Related Integrations: endpoint(opens in a new tab or window)
Query

event.category : "network" and host.os.type : "macos" and event.type : "start" and
destination.domain : (*.team or *.lol or *.kr or *.ke or *.nu or *.space or 
                          *.capital or *.in or *.cfd or *.online or *.ru or 
                          *.info or *.top or *.buzz or *.xyz or *.rest or 
                          *.ml or *.cf or *.gq or *.ga or *.onion or 
                          *.network or *.monster or *.marketing or *.cyou or 
                          *.quest or *.cc or *.bar or *.click or *.cam or 
                          *.surf or *.tk or *.shop or *.club or *.icu or 
                          *.pw or *.ws or *.hair or *.mom or 
                          *.beauty or *.boats or *.fun or *.life or 
                          *.store)

Install detection rules in Elastic Security

Detect Unusual Network Connection to Suspicious Top Level Domain in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).