kqlElastic-2.0from elastic/detection-rules
Unusual Network Connection to Suspicious Top Level Domain
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml
event.category : "network" and host.os.type : "macos" and event.type : "start" and
destination.domain : (*.team or *.lol or *.kr or *.ke or *.nu or *.space or
*.capital or *.in or *.cfd or *.online or *.ru or
*.info or *.top or *.buzz or *.xyz or *.rest or
*.ml or *.cf or *.gq or *.ga or *.onion or
*.network or *.monster or *.marketing or *.cyou or
*.quest or *.cc or *.bar or *.click or *.cam or
*.surf or *.tk or *.shop or *.club or *.icu or
*.pw or *.ws or *.hair or *.mom or
*.beauty or *.boats or *.fun or *.life or
*.store)