A process connected to a rare external host

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Informational

Description

A Process connected to an external host name or directly to an IP address, which are rarely connected to from the organization.

Attacker's Goals

Beacon to C2 server and/or exfiltrate data.

Investigative actions

Check whether the process was injected or otherwise subverted for malicious use.

Variations

MSBuild process connected to a rare external host

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution.

Attacker's Goals

Beacon to C2 server and/or exfiltrate data.

Investigative actions

Check if CGO actor process is not code developing tool (IDE) and whether the actor process subverted for malicious use.


MSBuild process connected to a rare external host

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)

Severity

Medium

Description

MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution.

Attacker's Goals

Beacon to C2 server and/or exfiltrate data.

Investigative actions

Check if CGO actor process is not code developing tool (IDE) and whether the actor process subverted for malicious use.


LOLBIN spawned by an Office executable connected to a rare external host

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

High

Description

A LOLBIN run by an Office process connected to an external IP address or host, which is rarely connected to from the organization.

Attacker's Goals

Beacon to C2 server and/or exfiltrate data.

Investigative actions

Check whether the process was injected or otherwise subverted for malicious use.


A curl process connected to a rare external host

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Informational

Description

A curl process connected to an external host name or directly to an IP address, which are rarely connected to from the organization.

Attacker's Goals

Beacon to C2 server and/or exfiltrate data.

Investigative actions

Check whether the process was injected or otherwise subverted for malicious use.


VSCode extension process connected to a rare external host

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Low

Description

A VSCode extension connected to an external IP address or host, which is rarely connected to from the organization.

Attacker's Goals

Beacon to C2 server and/or exfiltrate data.

Investigative actions

Check whether the process was injected or otherwise subverted for malicious use.


UNIX LOLBIN process connected to a rare external host

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Low

Description

A UNIX LOLBIN connected to an external IP address or host, which is rarely connected to from the organization.

Attacker's Goals

Beacon to C2 server and/or exfiltrate data.

Investigative actions

Check whether the process was injected or otherwise subverted for malicious use.