A compromised process accessed a rare external host

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-11-09

Activation Period	14 Days
Training Period	30 Days
Test Period	2 Hours
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: AWS Flow Log OR AWS OCSF Flow Logs OR Azure Flow Log OR Gcp Flow Log Requires: XDR Agent Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules
Detector Tags	EDR Windows C2 Analytics
ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol (T1071)
Severity	Low

A compromised process accessed a rare external host.

Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.

ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol (T1071)
Severity	High

A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data.

Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.

ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol (T1071)
Severity	Medium

A process compromised by DLL sideloading accessed a rare external host.

Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.

ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol (T1071)
Severity	Medium

An injected process accessed a rare external host.

Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.