Unusual Network Connection to Suspicious Web Service

  1[metadata]
  2creation_date = "2025/03/26"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/02"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule monitors for the unusual occurrence of outbound network connections to suspicious webservice domains. 
 11"""
 12from = "now-9m"
 13index = ["logs-endpoint.events.network-*"]
 14language = "kuery"
 15license = "Elastic License v2"
 16name = "Unusual Network Connection to Suspicious Web Service"
 17note = """ ## Triage and analysis
 18
 19> **Disclaimer**:
 20> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 21
 22### Investigating Unusual Network Connection to Suspicious Web Service
 23
 24In macOS environments, network connections to web services are routine for data sharing and collaboration. However, adversaries exploit these services for command and control by disguising malicious traffic as legitimate. The detection rule identifies unusual outbound connections to known suspicious domains, flagging potential misuse by monitoring specific domain patterns and connection events, thus aiding in early threat detection.
 25
 26### Possible investigation steps
 27
 28- Review the destination domain and process executable from the alert to determine if it matches any expected web service communication.
 29- Check the event.category and event.type fields to confirm the nature of the network connection and ensure it aligns with the expected behavior of a macOS system.
 30- Investigate the source host identified by host.os.type to gather information about its recent activities, installed applications, and any potential indicators of compromise.
 31- Analyze network traffic logs for the source host to identify any other unusual or suspicious outbound connections that may indicate a broader compromise.
 32- Correlate the alert with other security events or alerts from the same host or network segment to identify patterns or related incidents.
 33- Consult threat intelligence sources to gather additional context on the flagged domain and assess its reputation and history of malicious activity.
 34
 35### False positive analysis
 36
 37- Frequent access to legitimate cloud storage services like Google Drive or Dropbox for routine file sharing can trigger false positives. Users can create exceptions for specific domains or IP addresses known to be safe and frequently accessed by their organization.
 38- Automated backup services that use domains such as OneDrive or SharePoint may be flagged. To mitigate this, identify and whitelist the specific services or applications that are part of regular backup operations.
 39- Collaboration tools like Slack or Discord, used for legitimate communication, might be mistakenly flagged. Users should review and whitelist these domains if they are part of standard business operations.
 40- URL shorteners like bit.ly or tinyurl.com used in marketing or communication campaigns can cause false alerts. Establish a list of trusted shortener services and exclude them from monitoring if they are regularly used by the organization.
 41- Development and testing environments using services like ngrok or localtunnel for temporary public URLs can be misidentified. Ensure these environments are documented and excluded from the rule if they are part of normal development workflows.
 42
 43### Response and remediation
 44
 45- Immediately isolate the affected macOS device from the network to prevent further communication with the suspicious domains.
 46- Conduct a thorough review of the network logs to identify any data exfiltration attempts or additional suspicious connections originating from the isolated device.
 47- Remove any unauthorized or suspicious applications or scripts found on the device that may be facilitating the outbound connections.
 48- Update the device's security software and perform a full system scan to detect and remove any malware or unauthorized software.
 49- Reset credentials and review access permissions for the affected user accounts to prevent unauthorized access.
 50- Monitor the network for any further attempts to connect to the flagged domains and ensure that alerts are configured to notify security teams of any recurrence.
 51- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if the threat is part of a larger attack campaign.
 52"""
 53references = [
 54"https://specterops.io/blog/2026/01/30/weaponizing-whitelists-an-azure-blob-storage-mythic-c2-profile/"
 55]
 56risk_score = 47
 57rule_id = "b07f0fba-0a78-11f0-8311-b66272739ecb"
 58severity = "medium"
 59tags = [
 60    "Domain: Endpoint",
 61    "OS: macOS",
 62    "Use Case: Threat Detection",
 63    "Tactic: Command and Control",
 64    "Data Source: Elastic Defend",
 65    "Resources: Investigation Guide",
 66]
 67timestamp_override = "event.ingested"
 68type = "new_terms"
 69query = '''
 70event.category : "network" and host.os.type : "macos" and event.type : "start" and
 71destination.domain : (
 72    pastebin.* or
 73    paste.ee or
 74    ghostbin.com or
 75    drive.google.com or
 76    ?.docs.live.net or
 77    api.dropboxapi.* or
 78    content.dropboxapi.* or
 79    *dl.dropboxusercontent.* or
 80    api.onedrive.com or
 81    *.onedrive.org or
 82    onedrive.live.com or
 83    filebin.net or
 84    *.ngrok.io or
 85    ngrok.com or
 86    *.portmap.* or
 87    *serveo.net or
 88    *localtunnel.me or
 89    *pagekite.me or
 90    *localxpose.io or
 91    *notabug.org or
 92    rawcdn.githack.* or
 93    paste.nrecom.net or
 94    zerobin.net or
 95    controlc.com or
 96    requestbin.net or
 97    api.slack.com or
 98    slack-redir.net or
 99    slack-files.com or
100    cdn.discordapp.com or
101    discordapp.com or
102    discord.com or
103    apis.azureedge.net or
104    cdn.sql.gg or
105    ?.top4top.io or
106    top4top.io or
107    uplooder.net or
108    *.cdnmegafiles.com or
109    transfer.sh or
110    updates.peer2profit.com or
111    api.telegram.org or
112    t.me or
113    meacz.gq or
114    rwrd.org or
115    *.publicvm.com or
116    *.blogspot.com or
117    api.mylnikov.org or
118    script.google.com or
119    script.googleusercontent.com or
120    paste4btc.com or
121    workupload.com or
122    temp.sh or
123    filetransfer.io or
124    gofile.io or
125    store?.gofile.io or
126    tiny.one or
127    api.notion.com or
128    *.sharepoint.com or
129    *upload.ee or
130    bit.ly or
131    t.ly or
132    cutt.ly or
133    mbasic.facebook.com or
134    api.gofile.io or
135    file.io or
136    api.anonfiles.com or
137    api.trello.com or
138    gist.githubusercontent.com or
139    dpaste.com or
140    *azurewebsites.net or
141    *.zulipchat.com or
142    *.4shared.com or
143    filecloud.me or
144    i.ibb.co or
145    files.catbox.moe or
146    *.getmyip.com or
147    mockbin.org or
148    webhook.site or
149    run.mocky.io or
150    *infinityfreeapp.com or
151    free.keep.sh or
152    tinyurl.com or
153    ftpupload.net or
154    lobfile.com or
155    *.ngrok-free.app or
156    myexternalip.com or
157    yandex.ru or
158    *.yandex.ru or
159    *.aternos.me or
160    cdn??.space or
161    *.pcloud.com or
162    mediafire.zip or
163    urlz.fr or
164    rentry.co or
165    *.b-cdn.net or
166    pastecode.dev or
167    i.imgur.com or
168    the.earth.li or
169    *.trycloudflare.com or
170    *.blob.core.windows.net or
171    *.blob.storage.azure.net
172) and 
173not (destination.domain : (*.sharepoint.com or *.azurewebsites.net or "onedrive.live.com" or *.b-cdn.net or api.onedrive.com or "drive.google.com" or *.blogspot.com or *.blob.core.windows.net or *.blob.storage.azure.net) and process.code_signature.subject_name:(*Microsoft* or "Software Signing" or "Apple Mac OS Application Signing" or *VMware*) and process.code_signature.trusted:true) and 
174not (process.code_signature.subject_name:(*Mozilla* or *Google* or *Brave* or *Opera* or "Software Signing" or *Zscaler* or *Browser*) and process.code_signature.trusted:true)  and 
175not (destination.domain :("discord.com" or cdn.discordapp.com or "content.dropboxapi.com" or "dl.dropboxusercontent.com") and process.code_signature.subject_name :(*Discord* or *Dropbox*) and process.code_signature.trusted:true)
176'''
177
178[[rule.threat]]
179framework = "MITRE ATT&CK"
180
181[[rule.threat.technique]]
182id = "T1071"
183name = "Application Layer Protocol"
184reference = "https://attack.mitre.org/techniques/T1071/"
185
186[[rule.threat.technique.subtechnique]]
187id = "T1071.001"
188name = "Web Protocols"
189reference = "https://attack.mitre.org/techniques/T1071/001/"
190
191[rule.threat.tactic]
192id = "TA0011"
193name = "Command and Control"
194reference = "https://attack.mitre.org/tactics/TA0011/"
195
196[rule.new_terms]
197field = "new_terms_fields"
198value = ["host.id", "process.executable", "destination.domain"]
199
200[[rule.new_terms.history_window_start]]
201field = "history_window_start"
202value = "now-7d"