kqlElastic-2.0from elastic/detection-rules
Unusual Network Connection to Suspicious Web Service

Quality
FP risk
—
Forks
Views
ATT&CK techniques
T1071 T1071.001 T1102 T1567 T1567.002 T1567.003 T1567.004
Rule sourcerules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml
event.category : "network" and host.os.type : "macos" and event.type : "start" and
destination.domain : (
    pastebin.* or
    paste.ee or
    ghostbin.com or
    drive.google.com or
    ?.docs.live.net or
    api.dropboxapi.* or
    content.dropboxapi.* or
    *dl.dropboxusercontent.* or
    api.onedrive.com or
    *.onedrive.org or
    onedrive.live.com or
    filebin.net or
    *.ngrok.io or
    ngrok.com or
    *.portmap.* or
    *serveo.net or
    *localtunnel.me or
    *pagekite.me or
    *localxpose.io or
    *notabug.org or
    rawcdn.githack.* or
    paste.nrecom.net or
    zerobin.net or
    controlc.com or
    requestbin.net or
    api.slack.com or
    slack-redir.net or
    slack-files.com or
    cdn.discordapp.com or
    discordapp.com or
    discord.com or
    apis.azureedge.net or
    cdn.sql.gg or
    ?.top4top.io or
    top4top.io or
    uplooder.net or
    *.cdnmegafiles.com or
    transfer.sh or
    updates.peer2profit.com or
    api.telegram.org or
    t.me or
    meacz.gq or
    rwrd.org or
    *.publicvm.com or
    *.blogspot.com or
    api.mylnikov.org or
    script.google.com or
    script.googleusercontent.com or
    paste4btc.com or
    workupload.com or
    temp.sh or
    filetransfer.io or
    gofile.io or
    store?.gofile.io or
    tiny.one or
    api.notion.com or
    *.sharepoint.com or
    *upload.ee or
    bit.ly or
    t.ly or
    cutt.ly or
    mbasic.facebook.com or
    api.gofile.io or
    file.io or
    api.anonfiles.com or
    api.trello.com or
    gist.githubusercontent.com or
    dpaste.com or
    *azurewebsites.net or
    *.zulipchat.com or
    *.4shared.com or
    filecloud.me or
    i.ibb.co or
    files.catbox.moe or
    *.getmyip.com or
    mockbin.org or
    webhook.site or
    run.mocky.io or
    *infinityfreeapp.com or
    free.keep.sh or
    tinyurl.com or
    ftpupload.net or
    lobfile.com or
    *.ngrok-free.app or
    myexternalip.com or
    yandex.ru or
    *.yandex.ru or
    *.aternos.me or
    cdn??.space or
    *.pcloud.com or
    mediafire.zip or
    urlz.fr or
    rentry.co or
    *.b-cdn.net or
    pastecode.dev or
    i.imgur.com or
    the.earth.li or
    *.trycloudflare.com or
    *.blob.core.windows.net or
    *.blob.storage.azure.net
) and 
not (destination.domain : (*.sharepoint.com or *.azurewebsites.net or "onedrive.live.com" or *.b-cdn.net or api.onedrive.com or "drive.google.com" or *.blogspot.com or *.blob.core.windows.net or *.blob.storage.azure.net) and process.code_signature.subject_name:(*Microsoft* or "Software Signing" or "Apple Mac OS Application Signing" or *VMware*) and process.code_signature.trusted:true) and 
not (process.code_signature.subject_name:(*Mozilla* or *Google* or *Brave* or *Opera* or "Software Signing" or *Zscaler* or *Browser*) and process.code_signature.trusted:true)  and 
not (destination.domain :("discord.com" or cdn.discordapp.com or "content.dropboxapi.com" or "dl.dropboxusercontent.com") and process.code_signature.subject_name :(*Discord* or *Dropbox*) and process.code_signature.trusted:true)