[New] Unusual Network Connection to Suspicious Web Service (#4569)

* [New] Unusual Network Connection to Suspicious Web Service

* Update rule threat order

---------

Co-authored-by: Eric Forte <[email protected]>
Co-authored-by: eric-forte-elastic <[email protected]>
Co-authored-by: Mika Ayenson, PhD <[email protected]>

Author: 3 people

rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml

@@ -0,0 +1,157 @@
+[metadata]
+creation_date = "2025/03/26"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/03/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for the unusual occurrence of outbound network connections to suspicious webservice domains. 
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Unusual Network Connection to Suspicious Web Service"
+risk_score = 47
+rule_id = "b07f0fba-0a78-11f0-8311-b66272739ecb"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend"
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+event.category : "network" and host.os.type : "macos" and event.type : "start" and
+destination.domain : (
+    pastebin.* or
+    paste.ee or
+    ghostbin.com or
+    drive.google.com or
+    ?.docs.live.net or
+    api.dropboxapi.* or
+    content.dropboxapi.* or
+    *dl.dropboxusercontent.* or
+    api.onedrive.com or
+    *.onedrive.org or
+    onedrive.live.com or
+    filebin.net or
+    *.ngrok.io or
+    ngrok.com or
+    *.portmap.* or
+    *serveo.net or
+    *localtunnel.me or
+    *pagekite.me or
+    *localxpose.io or
+    *notabug.org or
+    rawcdn.githack.* or
+    paste.nrecom.net or
+    zerobin.net or
+    controlc.com or
+    requestbin.net or
+    api.slack.com or
+    slack-redir.net or
+    slack-files.com or
+    cdn.discordapp.com or
+    discordapp.com or
+    discord.com or
+    apis.azureedge.net or
+    cdn.sql.gg or
+    ?.top4top.io or
+    top4top.io or
+    uplooder.net or
+    *.cdnmegafiles.com or
+    transfer.sh or
+    updates.peer2profit.com or
+    api.telegram.org or
+    t.me or
+    meacz.gq or
+    rwrd.org or
+    *.publicvm.com or
+    *.blogspot.com or
+    api.mylnikov.org or
+    script.google.com or
+    script.googleusercontent.com or
+    paste4btc.com or
+    workupload.com or
+    temp.sh or
+    filetransfer.io or
+    gofile.io or
+    store?.gofile.io or
+    tiny.one or
+    api.notion.com or
+    *.sharepoint.com or
+    *upload.ee or
+    bit.ly or
+    t.ly or
+    cutt.ly or
+    mbasic.facebook.com or
+    api.gofile.io or
+    file.io or
+    api.anonfiles.com or
+    api.trello.com or
+    gist.githubusercontent.com or
+    dpaste.com or
+    *azurewebsites.net or
+    *.zulipchat.com or
+    *.4shared.com or
+    filecloud.me or
+    i.ibb.co or
+    files.catbox.moe or
+    *.getmyip.com or
+    mockbin.org or
+    webhook.site or
+    run.mocky.io or
+    *infinityfreeapp.com or
+    free.keep.sh or
+    tinyurl.com or
+    ftpupload.net or
+    lobfile.com or
+    *.ngrok-free.app or
+    myexternalip.com or
+    yandex.ru or
+    *.yandex.ru or
+    *.aternos.me or
+    cdn??.space or
+    *.pcloud.com or
+    mediafire.zip or
+    urlz.fr or
+    rentry.co or
+    *.b-cdn.net or
+    pastecode.dev or
+    i.imgur.com or
+    the.earth.li or
+    *.trycloudflare.com
+)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1071.001"
+name = "Web Protocols"
+reference = "https://attack.mitre.org/techniques/T1071/001/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["host.id", "process.executable", "destination.domain"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"