Unusual Network Connection to Suspicious Top Level Domain

  1[metadata]
  2creation_date = "2025/03/25"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/04/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule monitors for the unusual occurrence of outbound network connections to suspicious top level domains. 
 11"""
 12from = "now-9m"
 13index = ["logs-endpoint.events.network-*"]
 14language = "kuery"
 15license = "Elastic License v2"
 16name = "Unusual Network Connection to Suspicious Top Level Domain"
 17note = """ ## Triage and analysis
 18
 19> **Disclaimer**:
 20> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 21
 22### Investigating Unusual Network Connection to Suspicious Top Level Domain
 23
 24In macOS environments, network connections are essential for communication and data exchange. Adversaries exploit this by connecting to suspicious top-level domains (TLDs) for command and control activities. The detection rule identifies unusual outbound connections to these TLDs, signaling potential threats. By monitoring specific domains, it helps detect and mitigate malicious activities early.
 25
 26### Possible investigation steps
 27
 28- Review the destination domain involved in the alert to determine if it is associated with known malicious activities or if it has been flagged in threat intelligence databases.
 29- Analyze the network traffic details related to the connection, including the source IP address and the volume of data transferred, to assess the nature and intent of the communication.
 30- Check the host system's recent activity logs for any unusual processes or applications that initiated the network connection, focusing on the event.type "start" to identify the triggering process.
 31- Investigate the user account associated with the host to determine if there have been any unauthorized access attempts or anomalies in user behavior.
 32- Correlate the alert with other security events or alerts from the same host or network segment to identify potential patterns or coordinated activities.
 33- Consult with threat intelligence sources or security forums to gather additional context on the specific top-level domain and its potential use in command and control operations.
 34
 35### False positive analysis
 36
 37- Legitimate business domains may use TLDs like .online or .store for marketing purposes. Review the domain's reputation and business context before marking it as a threat.
 38- Personal or small business websites might use TLDs such as .fun or .life. Verify the domain ownership and usage to determine if it is a false positive.
 39- Some educational or community projects might use TLDs like .club or .space. Check the domain's content and purpose to assess its legitimacy.
 40- Exclude known safe domains by adding them to an allowlist in your monitoring tool to prevent repeated false positives.
 41- Regularly update the allowlist based on user feedback and network behavior analysis to ensure it remains accurate and effective.
 42
 43### Response and remediation
 44
 45- Immediately isolate the affected macOS device from the network to prevent further communication with the suspicious domain.
 46- Conduct a thorough review of the network logs to identify any additional devices that may have communicated with the same suspicious domains and isolate them if necessary.
 47- Use endpoint security tools to perform a full malware scan on the affected device to identify and remove any malicious software.
 48- Reset credentials and review access permissions for any accounts that were active on the affected device to prevent unauthorized access.
 49- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if the threat is part of a larger attack campaign.
 50- Implement network-level blocking of the identified suspicious domains to prevent future connections from any device within the network.
 51- Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to enhance detection and blocking of similar threats in the future.
 52"""
 53risk_score = 47
 54rule_id = "ffa676dc-09b0-11f0-94ba-b66272739ecb"
 55severity = "medium"
 56tags = [
 57    "Domain: Endpoint",
 58    "OS: macOS",
 59    "Use Case: Threat Detection",
 60    "Tactic: Command and Control",
 61    "Data Source: Elastic Defend",
 62    "Resources: Investigation Guide",
 63]
 64timestamp_override = "event.ingested"
 65type = "new_terms"
 66query = '''
 67event.category : "network" and host.os.type : "macos" and event.type : "start" and
 68destination.domain : (*.team or *.lol or *.kr or *.ke or *.nu or *.space or 
 69                          *.capital or *.in or *.cfd or *.online or *.ru or 
 70                          *.info or *.top or *.buzz or *.xyz or *.rest or 
 71                          *.ml or *.cf or *.gq or *.ga or *.onion or 
 72                          *.network or *.monster or *.marketing or *.cyou or 
 73                          *.quest or *.cc or *.bar or *.click or *.cam or 
 74                          *.surf or *.tk or *.shop or *.club or *.icu or 
 75                          *.pw or *.ws or *.hair or *.mom or 
 76                          *.beauty or *.boats or *.fun or *.life or 
 77                          *.store)
 78'''
 79
 80[[rule.threat]]
 81framework = "MITRE ATT&CK"
 82
 83[[rule.threat.technique]]
 84id = "T1071"
 85name = "Application Layer Protocol"
 86reference = "https://attack.mitre.org/techniques/T1071/"
 87
 88[[rule.threat.technique.subtechnique]]
 89id = "T1071.001"
 90name = "Web Protocols"
 91reference = "https://attack.mitre.org/techniques/T1071/001/"
 92
 93[rule.threat.tactic]
 94id = "TA0011"
 95name = "Command and Control"
 96reference = "https://attack.mitre.org/tactics/TA0011/"
 97
 98[rule.new_terms]
 99field = "new_terms_fields"
100value = ["host.id", "process.executable", "destination.domain"]
101
102[[rule.new_terms.history_window_start]]
103field = "history_window_start"
104value = "now-7d"