Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

36 alerts match the current filters. technique: T1071 ✕

Show ATT&CK heatmap
  • A commonly abused process connected to a rare cloud resource Low 3 variations

    A commonly abused process connected to a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Investigate the actor process connected to the cloud resource. Is this use case usually takes place within the org? Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.

    Variations

    A commonly abused software develop tool connected to a rare cloud resource

    Informational overridden

    A commonly abused software develop tool connected to a rare cloud resource. overridden

    A commonly abused rare process connected to a rare cloud resource

    Low overridden

    A commonly abused rare process connected to a rare cloud resource. overridden

    A commonly abused renamed process connected to a rare cloud resource

    Medium overridden

    A commonly abused renamed process connected to a rare cloud resource. overridden

  • A commonly abused process connected to a rare external host Low 3 variations

    A commonly abused process connected to a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Investigate the actor process connected to the external host. Get further details about the uncommon external destination. Assess whether this communication pattern is expected or not.

    Variations

    A commonly abused renamed process connected to a rare external host

    Medium overridden

    A commonly abused renamed process connected to a rare external host. overridden

    A commonly abused process connected to a globally rare external host

    Low overridden

    A commonly abused process connected to a globally rare external host. overridden

    A commonly abused rare process connected to a rare external host

    Low overridden

    A commonly abused rare process connected to a rare external host. overridden

  • A compromised process accessed a rare cloud resource Informational 3 variations

    A compromised process accessed a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.
    Investigative actions: Investigate the compromised process. Identify the rare cloud resource accessed, is it managed by your organization?

    Variations

    A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters

    Medium overridden

    A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters. overridden

    A process compromised by DLL sideloading accessed a rare cloud resource

    Informational overridden

    A process compromised by DLL sideloading accessed a rare cloud resource. overridden

    An injected process accessed a rare cloud resource

    Informational overridden

    An injected process accessed a rare cloud resource. overridden

  • A compromised process accessed a rare external host Low 3 variations

    A compromised process accessed a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.
    Investigative actions: Investigate the compromised process. Check the rare remote host.

    Variations

    A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data

    High overridden

    A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data. overridden

    A process compromised by DLL sideloading accessed a rare external host

    Medium overridden

    A process compromised by DLL sideloading accessed a rare external host. overridden

    An injected process accessed a rare external host

    Medium overridden

    An injected process accessed a rare external host. overridden

  • A process connected to a rare cloud resource Informational 3 variations

    A process connected to a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Investigate the actor process connected to the cloud resource. Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.

    Variations

    A browser process connected to a rare cloud resource

    Informational overridden

    A browser process connected to a rare cloud resource. overridden

    A process connected to an atypical rare cloud resource

    Informational overridden

    A process connected to an atypical rare cloud resource. overridden

    A process connected to a rare cloud resource atypical to this agent

    Informational overridden

    A process connected to a rare cloud resource atypical to this agent. overridden

  • A process connected to a rare external host Informational 6 variations

    A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Attacker's goals: Beacon to C2 server and/or exfiltrate data.
    Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.

    Variations

    MSBuild process connected to a rare external host

    High overridden

    MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden

    MSBuild process connected to a rare external host

    Medium overridden

    MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden

    LOLBIN spawned by an Office executable connected to a rare external host

    High overridden

    A LOLBIN run by an Office process connected to an external IP address or host, which is rarely connected to from the organization. overridden

    A curl process connected to a rare external host

    Informational overridden

    A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization. overridden

    VSCode extension process connected to a rare external host

    Low overridden

    A VSCode extension connected to an external IP address or host, which is rarely connected to from the organization. overridden

    UNIX LOLBIN process connected to a rare external host

    Low overridden

    A UNIX LOLBIN connected to an external IP address or host, which is rarely connected to from the organization. overridden

  • A process connected to rare external host Informational 1 variation

    A process connected to a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Get further details about the uncommon external destination and the actor process.

    Variations

    A process connected to globally rare external host

    Informational overridden

    A process connected to a globally rare external host. overridden

  • Abnormal network communication through TOR using an uncommon port Low 2 variations

    Suspicious connection from a known TOR IP to an uncommon port.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: XDR Agent
    Attacker's goals: Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.
    Investigative actions: Investigate the network configuration related to the participating port.Investigate processes that were listening to that port.

    Variations

    Abnormal network communication through TOR using an uncommon port and App-id

    Low overridden

    Suspicious connection from a known TOR IP to an uncommon port and App-id. overridden

    Abnormal network communication through TOR using a suspicious port

    Low overridden

    Suspicious connection from a known TOR IP to an uncommon potential C2 communication port. overridden

  • An Azure DNS Zone was modified Informational Cloud

    An Azure DNS zone has been changed or removed, which may indicate malicious activity or a misconfiguration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: DNS (T1071.004)
    Required data: Azure Audit Log
    Attacker's goals: Take control of DNS zones to redirect traffic to malicious websites.
    Investigative actions: Verify whether the identity should be making this action. Check what Azure DNS zones were changed or removed.
  • DNS Tunneling Low 1 variation

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.

    Variations

    DNS Tunneling

    Medium overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents. overridden

  • Download pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.
  • Globally uncommon IP address by a common process (sha256) Informational 4 variations

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.
    Investigative actions: Check the destination IP address reputation. Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon IP address by a common process (sha256) from an injected thread

    High overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon IP address by a common process (sha256) from a known vendor

    Medium overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare IP address by a common process (sha256)

    Medium overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and a rare IP address by a common process (sha256)

    Low overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon IP address connection from a signed process Informational 3 variations

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.

    Variations

    Globally uncommon IP address connection from an injected thread in a signed process

    Medium overridden

    An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon IP address connection from a signed process from a known vendor

    Medium overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare IP address connection from a signed process

    Low overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root domain from a signed process Low 4 variations

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root domain from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    Medium overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root-domain port combination by a common process (sha256) Informational 4 variations

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.
    Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root-domain port combination by a common process (sha256) from an injected thread

    High overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare root-domain port combination by a common process (sha256)

    Medium overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination by a common process (sha256) from a known vendor

    Medium overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and rare root-domain port combination by a common process (sha256)

    Low overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root-domain port combination from a signed process Low 4 variations

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root-domain port combination from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    Medium overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

  • Rare AppID usage to a rare destination Informational 2 variations

    Rare AppID with port usage to rare destination.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Attackers might use well-known ports with uncommon applications to avoid being detected by a non-application aware firewall or to bypass firewall rules based only on ports.
    Investigative actions: Investigate the endpoints participating in the session.

    Variations

    Rare AppID usage to a rare destination using an unsigned process

    Low overridden

    Rare AppID with port usage to rare destination. overridden

    Rare AppID usage to a rare destination from an internet-facing server

    Low overridden

    Rare AppID with port usage to rare destination. overridden

  • Rare access to known advertising domains Informational 2 variations

    The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Persistence (TA0003)
    ATT&CK techniques: Application Layer Protocol (T1071) Software Extensions: Browser Extensions (T1176.001)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Causing the user to view excessive advertising content.
    Investigative actions: Investigate the infected machine and search for suspicious browser extensions, see if changes were made to the homepage or if the browser is slower than usual, check whether sites that do not have ads usually, display ads when accessed from the possibly infected endpoint. Search for suspicious redirections or proxy configuration on the infected machine. Search for a C&C communication.

    Variations

    Rare access to known advertising domains from a Rare User Agent

    Informational overridden

    The endpoint performed many connections to unpopular advertising domains from a rare user agent.This could indicate the presence of adware on the endpoint. overridden

    Suspicious Rare access to known advertising domains

    Low overridden

    The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint. overridden

  • Rare binary connected to a rare cloud resource Low 2 variations

    Rare binary connected to a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Check the binary file. Get further details about the uncommon external cloud resource.

    Variations

    Software development tool connected to a rare cloud resource

    Informational overridden

    Software development tool connected to a rare cloud resource. overridden

    Recently downloaded rare binary connected to a rare cloud resource

    Medium overridden

    Recently downloaded rare binary connected to a rare cloud resource. overridden

  • Rare binary connected to a rare external host Low 2 variations

    Rare binary connected to a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Check the rare binary file. Get further details about the rare external destination.

    Variations

    Rare unsigned binary connected to a globally rare external host

    Medium overridden

    Rare unsigned binary connected to a globally rare external host. overridden

    Rare binary connected to a globally rare external host

    Low overridden

    Rare binary connected to a globally rare external host. overridden

  • Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol Informational 4 variations

    A process made a connection to an external IP address or host that is rarely connected to by the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Connect to a server to retrieve commands or exfiltrate data.
    Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.

    Variations

    Rare connection to external IP address or host by a java application using LDAP protocol

    Medium overridden

    A Java Process that never created LDAP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden

    Rare connection to external IP address or host by a java application using LDAP protocol

    Medium overridden

    A Java Process that never created RMI-IIOP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden

    Rare connection to external IP address or host by a java application using LDAP protocol

    Low overridden

    A Java Process connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden

    Rare connection to external IP address or host by a java application using RMI-IIOP protocol

    Low overridden

    A Java Process connected to an external IP address or host, which is rarely connected to from the organization using RMI-IIOP protocol. overridden

  • Rare process created an SSH session to an uncommon cloud resource Low

    A rare process created an SSH session to an uncommon cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Attackers may use SSH or any similar utility as a Command and Control (C2) channel or to exfiltrate data to a remote host.
    Investigative actions: Investigate the actor process and its causality. Review the remote cloud asset, is it managed by the organization or a partner? Search for processes or files that were accessed by this SSH instance.
  • Rare process created an SSH session to an uncommon external host Low 3 variations

    Rare process created an SSH session to an uncommon external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Attackers may use SSH or any similar utility to as a Command and Control (C2) channel or to exfiltrate data to a remote host.
    Investigative actions: Investigate the actor process and its causality. Review the external IP/domain using known intelligence tools. Search for processes or files that were accessed by this SSH instance.

    Variations

    Rare process created an SSH session to a domain with an uncommon TLD

    Medium overridden

    Rare process created an SSH session to a domain with an uncommon TLD. overridden

    Rare process created an SSH session to an globally uncommon external host

    Low overridden

    Rare process created an SSH session to an globally uncommon external host. overridden

    Rare process created an SSH session to an external host

    Informational overridden

    Rare process created an SSH session to an external host. overridden

  • Recurring access to rare domain Low 1 variation

    The endpoint is periodically connecting to an external domain (categorized as malware) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.

    Variations

    Recurring access to rare domain

    Low overridden

    The endpoint is periodically connecting to an external domain (categorized as command-and-control) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden

  • Recurring rare domain access from an unsigned process Low 2 variations

    An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Identify the process contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain. Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.

    Variations

    Recurring rare domain access from an uncommon unsigned process

    Medium overridden

    An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden

    Recurring access to a rare domain associated with known threats

    Medium overridden

    An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden

  • Recurring rare domain access to dynamic DNS domain Low

    The endpoint is periodically connecting to an external domain that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.
  • Scripting engine connected to a rare external host Low 3 variations

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)
    ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Connect to the attacker's Command and Control server.
    Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.

    Variations

    Scripting engine failed to connect to a rare external host

    Informational overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Scripting engine with a modified image name connected to a rare external host

    Low overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Windows LOLBIN scripting engine connected to a rare external host

    Medium overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

  • Suspicious DNS traffic Informational 2 variations

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: DNS tunneling, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked. An attacker may also use this protocol to exfiltrated data from the compromised endpoint outside the network.
    Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.

    Variations

    Suspicious DNS traffic with a rarely seen domain

    Low overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.This domain was rarely seen in this tenant. overridden

    Suspicious DNS traffic with a globally rare DNS query length

    Low overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The combination of the DNS queries along with this root domain is globally rare. overridden

  • Suspicious curl user agent Informational 1 variation

    Suspicious user agent provided to curl command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Impairing host defenses.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Suspicious curl user agent from within a Kubernetes Pod

    Low overridden

    Suspicious user agent provided to curl command. overridden

  • Uncommon Linux process communication to a rare external host Informational 6 variations

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Identify the process contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are alsocontacting the suspicious domain. Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.

    Variations

    Uncommon Linux process communication to a rare external host by an automated penetration testing tool

    Medium overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

    Uncommon Linux process communication to a rare external host involving a code sharing website

    Low overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

    Uncommon Linux process communication to a rare external host involving a low-prevalence process connecting to a rare Top-Level Domain

    Low overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

    Uncommon Linux process communication to a rare external host with an external IP in the command line

    Low overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

    Uncommon Linux process communication to a rare external host using a data transfer tool

    Low overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

    Uncommon Linux process communication to a rare external host identified as global anomaly

    Low overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

  • Uncommon SSH session was established Low 14 variations

    An uncommon SSH session was established.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.

    Variations

    An Uncommon SSH session was established using a rare server HASSH for the ssh server

    Low overridden

    An Uncommon SSH session was established using a rare server HASSH for the ssh server. overridden

    An Uncommon SSH session was established using a rare client HASSH for the agent

    Low overridden

    An uncommon SSH session was established using a rare client HASSH for the agent. overridden

    An Uncommon SSH session was established using a rare request banner for the agent

    Low overridden

    An Uncommon SSH session was established using a rare request banner for the agent. overridden

    An Uncommon SSH session was established using a rare Response banner for the ssh server

    Low overridden

    An Uncommon SSH session was established using a rare Response banner for the ssh server. overridden

    An Uncommon SSH session was established using a rare Response banner

    Low overridden

    An Uncommon SSH session was established using a rare Response banner. overridden

    An Uncommon SSH session was established using a rare request banner

    Low overridden

    An Uncommon SSH session was established using a rare request banner. overridden

    An Uncommon SSH session was established using a rare Client HASSH

    Low overridden

    An uncommon SSH session was established using a rare client HASSH. overridden

    An Uncommon SSH session was established using a rare Server HASSH

    Low overridden

    An Uncommon SSH session was established using a rare Server HASSH. overridden

    A suspicious SSH session was established

    Low overridden

    A suspicious SSH session was established to a globally rare external IP using a nonstandard SSH port. overridden

    An Uncommon SSH session was established to a rare IP address

    Low overridden

    An uncommon SSH session was established to a rare remote IP address. overridden

    An Uncommon SSH session was established using a nonstandard SSH port

    Low overridden

    An uncommon SSH session was established with a destination port using a nonstandard SSH port. overridden

    Uncommon SSH session was established to a rare internal IP

    Low overridden

    An uncommon SSH session was established to a rare internal IP. overridden

    Uncommon SSH session was established that involved a higher than usual volume

    Low overridden

    Uncommon SSH session was established that involved a higher than usual volume. overridden

    Uncommon SSH session was established to an internal IP

    Informational overridden

    An uncommon SSH session was established to an internal IP. overridden

  • Uncommon file access over WebDAV Low 1 variation

    Uncommon file access over WebDAV.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Threat actors may use the WebDAV to blend in existing network traffic.
    Investigative actions: Investigate the process {actor_process_image_name} which tried to access the remote file. Investigate the remote host {webdav_dst_from_file_event}.

    Variations

    High-risk file read over WebDAV by a LOLBIN process

    High overridden

    High-risk file read over WebDAV by a LOLBIN process. overridden

  • Uncommon macOS process communication to a rare external host Informational 11 variations

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.
    Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also contacting the suspicious host. Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.

    Variations

    Uncommon macOS process communication to a rare external host by security testing tool

    High overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host with a frequently abused TLD

    Medium overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility to establish a connection with a messaging service API

    Medium overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host related to LOTTunnels

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host with a rare TLD

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility and piping to script

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility to download and change permission

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility running by an unsigned process

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility and saving data to a temporary folder

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility and downloading a script

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

  • Uncommon recurring rare external host access Informational 6 variations

    A process has established recurring connections to an uncommon external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over C2 Channel (T1041) Remote Access Tools (T1219)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.
    Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the same external host. Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.

    Variations

    Uncommon recurring rare external host access by an automated penetration testing tool

    High overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access to a dynamic DNS domain

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access initiated by a cron job

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access with a rare top-level domain

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access using an exfiltration tool

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access with a sensitive file in actor or causality command line

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

  • Upload pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.
  • Windows LOLBIN executable connected to a rare external host Medium 2 variations

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Connect to the attacker's Command and Control server.
    Investigative actions: Check the external address the process connects to.

    Variations

    Windows LOLBIN executable connected to a rare external host on a newly activated agent

    Low overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Windows LOLBIN executable connected to a rare external host

    Medium overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden