Analytics Alerts
Browse the Cortex analytics alert reference.
36 alerts match the current filters. technique: T1071 ✕
Show ATT&CK heatmapA commonly abused process connected to a rare cloud resource Low 3 variations
A commonly abused process connected to a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Investigate the actor process connected to the cloud resource. Is this use case usually takes place within the org? Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.Variations
A commonly abused software develop tool connected to a rare cloud resource
Informational overridden
A commonly abused software develop tool connected to a rare cloud resource. overridden
A commonly abused rare process connected to a rare cloud resource
Low overridden
A commonly abused rare process connected to a rare cloud resource. overridden
A commonly abused renamed process connected to a rare cloud resource
Medium overridden
A commonly abused renamed process connected to a rare cloud resource. overridden
A commonly abused process connected to a rare external host Low 3 variations
A commonly abused process connected to a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Investigate the actor process connected to the external host. Get further details about the uncommon external destination. Assess whether this communication pattern is expected or not.Variations
A commonly abused renamed process connected to a rare external host
Medium overridden
A commonly abused renamed process connected to a rare external host. overridden
A commonly abused process connected to a globally rare external host
Low overridden
A commonly abused process connected to a globally rare external host. overridden
A commonly abused rare process connected to a rare external host
Low overridden
A commonly abused rare process connected to a rare external host. overridden
A compromised process accessed a rare cloud resource Informational 3 variations
A compromised process accessed a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.Investigative actions: Investigate the compromised process. Identify the rare cloud resource accessed, is it managed by your organization?Variations
A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters
Medium overridden
A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters. overridden
A process compromised by DLL sideloading accessed a rare cloud resource
Informational overridden
A process compromised by DLL sideloading accessed a rare cloud resource. overridden
An injected process accessed a rare cloud resource
Informational overridden
An injected process accessed a rare cloud resource. overridden
A compromised process accessed a rare external host Low 3 variations
A compromised process accessed a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.Investigative actions: Investigate the compromised process. Check the rare remote host.Variations
A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data
High overridden
A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data. overridden
A process compromised by DLL sideloading accessed a rare external host
Medium overridden
A process compromised by DLL sideloading accessed a rare external host. overridden
An injected process accessed a rare external host
Medium overridden
An injected process accessed a rare external host. overridden
A process connected to a rare cloud resource Informational 3 variations
A process connected to a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Investigate the actor process connected to the cloud resource. Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.Variations
A browser process connected to a rare cloud resource
Informational overridden
A browser process connected to a rare cloud resource. overridden
A process connected to an atypical rare cloud resource
Informational overridden
A process connected to an atypical rare cloud resource. overridden
A process connected to a rare cloud resource atypical to this agent
Informational overridden
A process connected to a rare cloud resource atypical to this agent. overridden
A process connected to a rare external host Informational 6 variations
A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentAttacker's goals: Beacon to C2 server and/or exfiltrate data.Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.Variations
MSBuild process connected to a rare external host
High overridden
MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden
MSBuild process connected to a rare external host
Medium overridden
MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden
LOLBIN spawned by an Office executable connected to a rare external host
High overridden
A LOLBIN run by an Office process connected to an external IP address or host, which is rarely connected to from the organization. overridden
A curl process connected to a rare external host
Informational overridden
A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization. overridden
VSCode extension process connected to a rare external host
Low overridden
A VSCode extension connected to an external IP address or host, which is rarely connected to from the organization. overridden
UNIX LOLBIN process connected to a rare external host
Low overridden
A UNIX LOLBIN connected to an external IP address or host, which is rarely connected to from the organization. overridden
A process connected to rare external host Informational 1 variation
A process connected to a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Get further details about the uncommon external destination and the actor process.Variations
A process connected to globally rare external host
Informational overridden
A process connected to a globally rare external host. overridden
Abnormal network communication through TOR using an uncommon port Low 2 variations
Suspicious connection from a known TOR IP to an uncommon port.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: XDR AgentAttacker's goals: Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.Investigative actions: Investigate the network configuration related to the participating port.Investigate processes that were listening to that port.Variations
Abnormal network communication through TOR using an uncommon port and App-id
Low overridden
Suspicious connection from a known TOR IP to an uncommon port and App-id. overridden
Abnormal network communication through TOR using a suspicious port
Low overridden
Suspicious connection from a known TOR IP to an uncommon potential C2 communication port. overridden
An Azure DNS Zone was modified Informational Cloud
An Azure DNS zone has been changed or removed, which may indicate malicious activity or a misconfiguration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: DNS (T1071.004)Required data: Azure Audit LogAttacker's goals: Take control of DNS zones to redirect traffic to malicious websites.Investigative actions: Verify whether the identity should be making this action. Check what Azure DNS zones were changed or removed.DNS Tunneling Low 1 variation
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.Variations
DNS Tunneling
Medium overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents. overridden
Download pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.Globally uncommon IP address by a common process (sha256) Informational 4 variations
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.Investigative actions: Check the destination IP address reputation. Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon IP address by a common process (sha256) from an injected thread
High overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address by a common process (sha256) from a known vendor
Medium overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare IP address by a common process (sha256)
Medium overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and a rare IP address by a common process (sha256)
Low overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address connection from a signed process Informational 3 variations
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.Variations
Globally uncommon IP address connection from an injected thread in a signed process
Medium overridden
An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address connection from a signed process from a known vendor
Medium overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare IP address connection from a signed process
Low overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process Low 4 variations
A signed process connected to an external domain that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root domain from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
Medium overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination by a common process (sha256) Informational 4 variations
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root-domain port combination by a common process (sha256) from an injected thread
High overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare root-domain port combination by a common process (sha256)
Medium overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination by a common process (sha256) from a known vendor
Medium overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and rare root-domain port combination by a common process (sha256)
Low overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process Low 4 variations
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root-domain port combination from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
Medium overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Rare AppID usage to a rare destination Informational 2 variations
Rare AppID with port usage to rare destination.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Attackers might use well-known ports with uncommon applications to avoid being detected by a non-application aware firewall or to bypass firewall rules based only on ports.Investigative actions: Investigate the endpoints participating in the session.Variations
Rare AppID usage to a rare destination using an unsigned process
Low overridden
Rare AppID with port usage to rare destination. overridden
Rare AppID usage to a rare destination from an internet-facing server
Low overridden
Rare AppID with port usage to rare destination. overridden
Rare access to known advertising domains Informational 2 variations
The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Persistence (TA0003)ATT&CK techniques: Application Layer Protocol (T1071) Software Extensions: Browser Extensions (T1176.001)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Causing the user to view excessive advertising content.Investigative actions: Investigate the infected machine and search for suspicious browser extensions, see if changes were made to the homepage or if the browser is slower than usual, check whether sites that do not have ads usually, display ads when accessed from the possibly infected endpoint. Search for suspicious redirections or proxy configuration on the infected machine. Search for a C&C communication.Variations
Rare access to known advertising domains from a Rare User Agent
Informational overridden
The endpoint performed many connections to unpopular advertising domains from a rare user agent.This could indicate the presence of adware on the endpoint. overridden
Suspicious Rare access to known advertising domains
Low overridden
The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint. overridden
Rare binary connected to a rare cloud resource Low 2 variations
Rare binary connected to a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Check the binary file. Get further details about the uncommon external cloud resource.Variations
Software development tool connected to a rare cloud resource
Informational overridden
Software development tool connected to a rare cloud resource. overridden
Recently downloaded rare binary connected to a rare cloud resource
Medium overridden
Recently downloaded rare binary connected to a rare cloud resource. overridden
Rare binary connected to a rare external host Low 2 variations
Rare binary connected to a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Check the rare binary file. Get further details about the rare external destination.Variations
Rare unsigned binary connected to a globally rare external host
Medium overridden
Rare unsigned binary connected to a globally rare external host. overridden
Rare binary connected to a globally rare external host
Low overridden
Rare binary connected to a globally rare external host. overridden
Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol Informational 4 variations
A process made a connection to an external IP address or host that is rarely connected to by the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Url LogsAttacker's goals: Connect to a server to retrieve commands or exfiltrate data.Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.Variations
Rare connection to external IP address or host by a java application using LDAP protocol
Medium overridden
A Java Process that never created LDAP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden
Rare connection to external IP address or host by a java application using LDAP protocol
Medium overridden
A Java Process that never created RMI-IIOP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden
Rare connection to external IP address or host by a java application using LDAP protocol
Low overridden
A Java Process connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden
Rare connection to external IP address or host by a java application using RMI-IIOP protocol
Low overridden
A Java Process connected to an external IP address or host, which is rarely connected to from the organization using RMI-IIOP protocol. overridden
Rare process created an SSH session to an uncommon cloud resource Low
A rare process created an SSH session to an uncommon cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Attackers may use SSH or any similar utility as a Command and Control (C2) channel or to exfiltrate data to a remote host.Investigative actions: Investigate the actor process and its causality. Review the remote cloud asset, is it managed by the organization or a partner? Search for processes or files that were accessed by this SSH instance.Rare process created an SSH session to an uncommon external host Low 3 variations
Rare process created an SSH session to an uncommon external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Attackers may use SSH or any similar utility to as a Command and Control (C2) channel or to exfiltrate data to a remote host.Investigative actions: Investigate the actor process and its causality. Review the external IP/domain using known intelligence tools. Search for processes or files that were accessed by this SSH instance.Variations
Rare process created an SSH session to a domain with an uncommon TLD
Medium overridden
Rare process created an SSH session to a domain with an uncommon TLD. overridden
Rare process created an SSH session to an globally uncommon external host
Low overridden
Rare process created an SSH session to an globally uncommon external host. overridden
Rare process created an SSH session to an external host
Informational overridden
Rare process created an SSH session to an external host. overridden
Recurring access to rare domain Low 1 variation
The endpoint is periodically connecting to an external domain (categorized as malware) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR Agent Third-Party FirewallsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.Variations
Recurring access to rare domain
Low overridden
The endpoint is periodically connecting to an external domain (categorized as command-and-control) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden
Recurring rare domain access from an unsigned process Low 2 variations
An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain. Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.Variations
Recurring rare domain access from an uncommon unsigned process
Medium overridden
An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden
Recurring access to a rare domain associated with known threats
Medium overridden
An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden
Recurring rare domain access to dynamic DNS domain Low
The endpoint is periodically connecting to an external domain that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.Scripting engine connected to a rare external host Low 3 variations
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Connect to the attacker's Command and Control server.Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.Variations
Scripting engine failed to connect to a rare external host
Informational overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Scripting engine with a modified image name connected to a rare external host
Low overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Windows LOLBIN scripting engine connected to a rare external host
Medium overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Suspicious DNS traffic Informational 2 variations
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: DNS tunneling, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked. An attacker may also use this protocol to exfiltrated data from the compromised endpoint outside the network.Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.Variations
Suspicious DNS traffic with a rarely seen domain
Low overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.This domain was rarely seen in this tenant. overridden
Suspicious DNS traffic with a globally rare DNS query length
Low overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The combination of the DNS queries along with this root domain is globally rare. overridden
Suspicious curl user agent Informational 1 variation
Suspicious user agent provided to curl command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Impairing host defenses.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Suspicious curl user agent from within a Kubernetes Pod
Low overridden
Suspicious user agent provided to curl command. overridden
Uncommon Linux process communication to a rare external host Informational 6 variations
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are alsocontacting the suspicious domain. Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.Variations
Uncommon Linux process communication to a rare external host by an automated penetration testing tool
Medium overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host involving a code sharing website
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host involving a low-prevalence process connecting to a rare Top-Level Domain
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host with an external IP in the command line
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host using a data transfer tool
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host identified as global anomaly
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon SSH session was established Low 14 variations
An uncommon SSH session was established.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.Variations
An Uncommon SSH session was established using a rare server HASSH for the ssh server
Low overridden
An Uncommon SSH session was established using a rare server HASSH for the ssh server. overridden
An Uncommon SSH session was established using a rare client HASSH for the agent
Low overridden
An uncommon SSH session was established using a rare client HASSH for the agent. overridden
An Uncommon SSH session was established using a rare request banner for the agent
Low overridden
An Uncommon SSH session was established using a rare request banner for the agent. overridden
An Uncommon SSH session was established using a rare Response banner for the ssh server
Low overridden
An Uncommon SSH session was established using a rare Response banner for the ssh server. overridden
An Uncommon SSH session was established using a rare Response banner
Low overridden
An Uncommon SSH session was established using a rare Response banner. overridden
An Uncommon SSH session was established using a rare request banner
Low overridden
An Uncommon SSH session was established using a rare request banner. overridden
An Uncommon SSH session was established using a rare Client HASSH
Low overridden
An uncommon SSH session was established using a rare client HASSH. overridden
An Uncommon SSH session was established using a rare Server HASSH
Low overridden
An Uncommon SSH session was established using a rare Server HASSH. overridden
A suspicious SSH session was established
Low overridden
A suspicious SSH session was established to a globally rare external IP using a nonstandard SSH port. overridden
An Uncommon SSH session was established to a rare IP address
Low overridden
An uncommon SSH session was established to a rare remote IP address. overridden
An Uncommon SSH session was established using a nonstandard SSH port
Low overridden
An uncommon SSH session was established with a destination port using a nonstandard SSH port. overridden
Uncommon SSH session was established to a rare internal IP
Low overridden
An uncommon SSH session was established to a rare internal IP. overridden
Uncommon SSH session was established that involved a higher than usual volume
Low overridden
Uncommon SSH session was established that involved a higher than usual volume. overridden
Uncommon SSH session was established to an internal IP
Informational overridden
An uncommon SSH session was established to an internal IP. overridden
Uncommon file access over WebDAV Low 1 variation
Uncommon file access over WebDAV.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Threat actors may use the WebDAV to blend in existing network traffic.Investigative actions: Investigate the process {actor_process_image_name} which tried to access the remote file. Investigate the remote host {webdav_dst_from_file_event}.Variations
High-risk file read over WebDAV by a LOLBIN process
High overridden
High-risk file read over WebDAV by a LOLBIN process. overridden
Uncommon macOS process communication to a rare external host Informational 11 variations
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also contacting the suspicious host. Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.Variations
Uncommon macOS process communication to a rare external host by security testing tool
High overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host with a frequently abused TLD
Medium overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility to establish a connection with a messaging service API
Medium overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host related to LOTTunnels
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host with a rare TLD
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility and piping to script
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility to download and change permission
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility running by an unsigned process
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility and saving data to a temporary folder
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility and downloading a script
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon recurring rare external host access Informational 6 variations
A process has established recurring connections to an uncommon external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over C2 Channel (T1041) Remote Access Tools (T1219)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the same external host. Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.Variations
Uncommon recurring rare external host access by an automated penetration testing tool
High overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access to a dynamic DNS domain
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access initiated by a cron job
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access with a rare top-level domain
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access using an exfiltration tool
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access with a sensitive file in actor or causality command line
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Upload pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.Windows LOLBIN executable connected to a rare external host Medium 2 variations
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Connect to the attacker's Command and Control server.Investigative actions: Check the external address the process connects to.Variations
Windows LOLBIN executable connected to a rare external host on a newly activated agent
Low overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Windows LOLBIN executable connected to a rare external host
Medium overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden