heroui logo

Unusual Network Connection to Suspicious Top Level Domain

Elastic Detection Rules

View Source
Summary
The rule named 'Unusual Network Connection to Suspicious Top Level Domain' is designed to monitor and alert on unusual outbound network connections from macOS endpoints to a list of suspicious top-level domains, which are often associated with malicious activities such as command and control (C2) traffic. Using the KQL (Kibana Query Language), it checks for network events categorized as 'start' for the macOS operating system, specifically targeting a comprehensive list of potentially harmful domains including but not limited to '.ru', '.info', '.top', '.onion', and various other generic and less reputable TLDs. The rule is executed against indexed logs from endpoint network events and aims to detect threats by identifying connections to these domains that may indicate underlying malicious intent. It carries a risk score of 47, classified as medium severity, indicating a noteworthy but not critical threat level. The rule employs a historical window to track past behaviors, providing context to the current network activities, thereby enhancing detection capabilities against evolving threats.
Categories
  • Endpoint
Data Sources
  • Network Traffic
  • Application Log
ATT&CK Techniques
  • T1071
  • T1071.001
Created: 2025-03-25