This detection rule identifies instances when Generative AI (GenAI) tools attempt to connect to domains with suspicious Top-Level Domains (TLDs) such as .top, .xyz, .ml, .cf, and .onion. These TLDs are often associated with malware command and control (C2) infrastructure due to their frequent use in cybercrime activities like phishing and malicious campaigns. By monitoring network traffic from GenAI processes on Windows and macOS platforms, the rule aims to flag potential security incidents stemming from compromise, malicious plugins, or unauthorized AI tools. The rule recommends a series of investigation steps, such as reviewing the GenAI tool's command line, connection details, and related user accounts to ascertain legitimacy and uncover potential threats. It balances high signal detection with a low expected alert volume, making it an efficient addition to any monitoring effort. It also emphasizes the importance of context in investigating alerts, as legitimate services may occasionally use these suspicious TLDs for benign purposes.