Unusual Network Connection to Suspicious Web Service

  1[metadata]
  2creation_date = "2025/03/26"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/04/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule monitors for the unusual occurrence of outbound network connections to suspicious webservice domains. 
 11"""
 12from = "now-9m"
 13index = ["logs-endpoint.events.network-*"]
 14language = "kuery"
 15license = "Elastic License v2"
 16name = "Unusual Network Connection to Suspicious Web Service"
 17note = """ ## Triage and analysis
 18
 19> **Disclaimer**:
 20> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 21
 22### Investigating Unusual Network Connection to Suspicious Web Service
 23
 24In macOS environments, network connections to web services are routine for data sharing and collaboration. However, adversaries exploit these services for command and control by disguising malicious traffic as legitimate. The detection rule identifies unusual outbound connections to known suspicious domains, flagging potential misuse by monitoring specific domain patterns and connection events, thus aiding in early threat detection.
 25
 26### Possible investigation steps
 27
 28- Review the destination domain and process executable from the alert to determine if it matches any expected web service communication.
 29- Check the event.category and event.type fields to confirm the nature of the network connection and ensure it aligns with the expected behavior of a macOS system.
 30- Investigate the source host identified by host.os.type to gather information about its recent activities, installed applications, and any potential indicators of compromise.
 31- Analyze network traffic logs for the source host to identify any other unusual or suspicious outbound connections that may indicate a broader compromise.
 32- Correlate the alert with other security events or alerts from the same host or network segment to identify patterns or related incidents.
 33- Consult threat intelligence sources to gather additional context on the flagged domain and assess its reputation and history of malicious activity.
 34
 35### False positive analysis
 36
 37- Frequent access to legitimate cloud storage services like Google Drive or Dropbox for routine file sharing can trigger false positives. Users can create exceptions for specific domains or IP addresses known to be safe and frequently accessed by their organization.
 38- Automated backup services that use domains such as OneDrive or SharePoint may be flagged. To mitigate this, identify and whitelist the specific services or applications that are part of regular backup operations.
 39- Collaboration tools like Slack or Discord, used for legitimate communication, might be mistakenly flagged. Users should review and whitelist these domains if they are part of standard business operations.
 40- URL shorteners like bit.ly or tinyurl.com used in marketing or communication campaigns can cause false alerts. Establish a list of trusted shortener services and exclude them from monitoring if they are regularly used by the organization.
 41- Development and testing environments using services like ngrok or localtunnel for temporary public URLs can be misidentified. Ensure these environments are documented and excluded from the rule if they are part of normal development workflows.
 42
 43### Response and remediation
 44
 45- Immediately isolate the affected macOS device from the network to prevent further communication with the suspicious domains.
 46- Conduct a thorough review of the network logs to identify any data exfiltration attempts or additional suspicious connections originating from the isolated device.
 47- Remove any unauthorized or suspicious applications or scripts found on the device that may be facilitating the outbound connections.
 48- Update the device's security software and perform a full system scan to detect and remove any malware or unauthorized software.
 49- Reset credentials and review access permissions for the affected user accounts to prevent unauthorized access.
 50- Monitor the network for any further attempts to connect to the flagged domains and ensure that alerts are configured to notify security teams of any recurrence.
 51- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if the threat is part of a larger attack campaign.
 52"""
 53risk_score = 47
 54rule_id = "b07f0fba-0a78-11f0-8311-b66272739ecb"
 55severity = "medium"
 56tags = [
 57    "Domain: Endpoint",
 58    "OS: macOS",
 59    "Use Case: Threat Detection",
 60    "Tactic: Command and Control",
 61    "Data Source: Elastic Defend",
 62    "Resources: Investigation Guide",
 63]
 64timestamp_override = "event.ingested"
 65type = "new_terms"
 66query = '''
 67event.category : "network" and host.os.type : "macos" and event.type : "start" and
 68destination.domain : (
 69    pastebin.* or
 70    paste.ee or
 71    ghostbin.com or
 72    drive.google.com or
 73    ?.docs.live.net or
 74    api.dropboxapi.* or
 75    content.dropboxapi.* or
 76    *dl.dropboxusercontent.* or
 77    api.onedrive.com or
 78    *.onedrive.org or
 79    onedrive.live.com or
 80    filebin.net or
 81    *.ngrok.io or
 82    ngrok.com or
 83    *.portmap.* or
 84    *serveo.net or
 85    *localtunnel.me or
 86    *pagekite.me or
 87    *localxpose.io or
 88    *notabug.org or
 89    rawcdn.githack.* or
 90    paste.nrecom.net or
 91    zerobin.net or
 92    controlc.com or
 93    requestbin.net or
 94    api.slack.com or
 95    slack-redir.net or
 96    slack-files.com or
 97    cdn.discordapp.com or
 98    discordapp.com or
 99    discord.com or
100    apis.azureedge.net or
101    cdn.sql.gg or
102    ?.top4top.io or
103    top4top.io or
104    uplooder.net or
105    *.cdnmegafiles.com or
106    transfer.sh or
107    updates.peer2profit.com or
108    api.telegram.org or
109    t.me or
110    meacz.gq or
111    rwrd.org or
112    *.publicvm.com or
113    *.blogspot.com or
114    api.mylnikov.org or
115    script.google.com or
116    script.googleusercontent.com or
117    paste4btc.com or
118    workupload.com or
119    temp.sh or
120    filetransfer.io or
121    gofile.io or
122    store?.gofile.io or
123    tiny.one or
124    api.notion.com or
125    *.sharepoint.com or
126    *upload.ee or
127    bit.ly or
128    t.ly or
129    cutt.ly or
130    mbasic.facebook.com or
131    api.gofile.io or
132    file.io or
133    api.anonfiles.com or
134    api.trello.com or
135    gist.githubusercontent.com or
136    dpaste.com or
137    *azurewebsites.net or
138    *.zulipchat.com or
139    *.4shared.com or
140    filecloud.me or
141    i.ibb.co or
142    files.catbox.moe or
143    *.getmyip.com or
144    mockbin.org or
145    webhook.site or
146    run.mocky.io or
147    *infinityfreeapp.com or
148    free.keep.sh or
149    tinyurl.com or
150    ftpupload.net or
151    lobfile.com or
152    *.ngrok-free.app or
153    myexternalip.com or
154    yandex.ru or
155    *.yandex.ru or
156    *.aternos.me or
157    cdn??.space or
158    *.pcloud.com or
159    mediafire.zip or
160    urlz.fr or
161    rentry.co or
162    *.b-cdn.net or
163    pastecode.dev or
164    i.imgur.com or
165    the.earth.li or
166    *.trycloudflare.com
167)
168'''
169
170[[rule.threat]]
171framework = "MITRE ATT&CK"
172
173[[rule.threat.technique]]
174id = "T1071"
175name = "Application Layer Protocol"
176reference = "https://attack.mitre.org/techniques/T1071/"
177
178[[rule.threat.technique.subtechnique]]
179id = "T1071.001"
180name = "Web Protocols"
181reference = "https://attack.mitre.org/techniques/T1071/001/"
182
183[rule.threat.tactic]
184id = "TA0011"
185name = "Command and Control"
186reference = "https://attack.mitre.org/tactics/TA0011/"
187
188[rule.new_terms]
189field = "new_terms_fields"
190value = ["host.id", "process.executable", "destination.domain"]
191
192[[rule.new_terms.history_window_start]]
193field = "history_window_start"
194value = "now-7d"```