Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0011 ✕ technique: T1059 ✕
Show ATT&CK heatmapScripting engine connected to a rare external host Low 3 variations
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Connect to the attacker's Command and Control server.Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.Variations
Scripting engine failed to connect to a rare external host
Informational overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Scripting engine with a modified image name connected to a rare external host
Low overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Windows LOLBIN scripting engine connected to a rare external host
Medium overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden