[Tuning] Connection to Commonly Abused Web Services (#3425)

Samirbous · github-actions[bot] · commit 6cf92b25d3b2 · 2024-04-02T13:49:39.000Z
* Update command_and_control_common_webservices.toml * Update command_and_control_common_webservices.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 6917387)
diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/28"
+updated_date = "2024/02/04"
 
 [transform]
 [[transform.osquery]]
@@ -142,21 +142,25 @@ network where host.os.type == "windows" and network.protocol == "dns" and
     process.name != null and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
     /* Add new WebSvc domains here */
     dns.question.name :
-    (
+       (
         "raw.githubusercontent.*",
-        "*.pastebin.*",
-        "*drive.google.*",
-        "*docs.live.*",
-        "*api.dropboxapi.*",
-        "*dropboxusercontent.*",
-        "*onedrive.*",
-        "*4shared.*",
-        "*.file.io",
-        "*filebin.net",
-        "*slack-files.com",
-        "*ghostbin.*",
-        "*ngrok.*",
-        "*portmap.*",
+        "github.com",
+        "pastebin.*",
+        "paste4btc.com",
+        "paste.ee",
+        "ghostbin.com",
+        "drive.google.com",
+        "?.docs.live.net",
+        "api.dropboxapi.*",
+        "content.dropboxapi.*",
+        "dl.dropboxusercontent.*",
+        "api.onedrive.com",
+        "*.onedrive.org",
+        "onedrive.live.com",
+        "filebin.net",
+        "*.ngrok.io",
+        "ngrok.com",
+        "*.portmap.*",
         "*serveo.net",
         "*localtunnel.me",
         "*pagekite.me",
@@ -167,12 +171,55 @@ network where host.os.type == "windows" and network.protocol == "dns" and
         "zerobin.net",
         "controlc.com",
         "requestbin.net",
+        "slack.com",
+        "api.slack.com",
+        "slack-redir.net",
+        "slack-files.com",
         "cdn.discordapp.com",
         "discordapp.com",
         "discord.com",
+        "apis.azureedge.net",
+        "cdn.sql.gg",
+        "?.top4top.io",
+        "top4top.io",
+        "www.uplooder.net",
+        "*.cdnmegafiles.com",
+        "transfer.sh",
+        "gofile.io",
+        "updates.peer2profit.com",
+        "api.telegram.org",
+        "t.me",
+        "meacz.gq",
+        "rwrd.org",
+        "*.publicvm.com",
+        "*.blogspot.com",
+        "api.mylnikov.org",
+        "file.io",
+        "stackoverflow.com",
+        "*files.1drv.com",
+        "api.anonfile.com",
+        "*hosting-profi.de",
+        "ipbase.com",
+        "ipfs.io",
+        "*up.freeo*.space",
+        "api.mylnikov.org",
         "script.google.com",
-        "script.googleusercontent.com"
-    ) and
+        "script.googleusercontent.com",
+        "api.notion.com",
+        "graph.microsoft.com",
+        "*.sharepoint.com",
+        "mbasic.facebook.com",
+        "login.live.com",
+        "api.gofile.io",
+        "api.anonfiles.com",
+        "api.notion.com",
+        "api.trello.com",
+        "gist.githubusercontent.com",
+        "files.pythonhosted.org",
+        "g.live.com",
+        "*.zulipchat.com",
+        "graph.microsoft.com") and 
+        
     /* Insert noisy false positives here */
     not (
       (
