security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New] Unusual Network Connection to Suspicious Top Level Domain (#4563)

Browse Source
This commit is contained in:
Colson Wilhoit
2025-04-03 14:22:41 -05:00
committed by GitHub
parent d4b2a35237
commit 753e8d8200
1 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml
+67
View File
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2025/03/25"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/03/25"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the unusual occurrence of outbound network connections to suspicious top level domains.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*"]
language = "kuery"
license = "Elastic License v2"
name = "Unusual Network Connection to Suspicious Top Level Domain"
risk_score = 47
rule_id = "ffa676dc-09b0-11f0-94ba-b66272739ecb"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category : "network" and host.os.type : "macos" and event.type : "start" and
destination.domain : (*.team or *.lol or *.kr or *.ke or *.nu or *.space or
*.capital or *.in or *.cfd or *.online or *.ru or
*.info or *.top or *.buzz or *.xyz or *.rest or
*.ml or *.cf or *.gq or *.ga or *.onion or
*.network or *.monster or *.marketing or *.cyou or
*.quest or *.cc or *.bar or *.click or *.cam or
*.surf or *.tk or *.shop or *.club or *.icu or
*.pw or *.ws or *.hair or *.mom or
*.beauty or *.boats or *.fun or *.life or
*.store)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[[rule.threat.technique.subtechnique]]
id = "T1071.001"
name = "Web Protocols"
reference = "https://attack.mitre.org/techniques/T1071/001/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "destination.domain"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"