Synopsis
Description
A Process connected to an external host name or directly to an IP address, which are rarely connected to from the organization.
Attacker's Goals
Beacon to C2 server and/or exfiltrate data.
Investigative actions
Check whether the process was injected or otherwise subverted for malicious use.
Variations
MSBuild process connected to a rare external host
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution.
Attacker's Goals
Beacon to C2 server and/or exfiltrate data.
Investigative actions
Check if CGO actor process is not code developing tool (IDE) and whether the actor process subverted for malicious use.
MSBuild process connected to a rare external host
Synopsis
Description
MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution.
Attacker's Goals
Beacon to C2 server and/or exfiltrate data.
Investigative actions
Check if CGO actor process is not code developing tool (IDE) and whether the actor process subverted for malicious use.
LOLBIN spawned by an Office executable connected to a rare external host
Synopsis
Description
A LOLBIN run by an Office process connected to an external IP address or host, which is rarely connected to from the organization.
Attacker's Goals
Beacon to C2 server and/or exfiltrate data.
Investigative actions
Check whether the process was injected or otherwise subverted for malicious use.
A curl process connected to a rare external host
Synopsis
Description
A curl process connected to an external host name or directly to an IP address, which are rarely connected to from the organization.
Attacker's Goals
Beacon to C2 server and/or exfiltrate data.
Investigative actions
Check whether the process was injected or otherwise subverted for malicious use.
VSCode extension process connected to a rare external host
Synopsis
Description
A VSCode extension connected to an external IP address or host, which is rarely connected to from the organization.
Attacker's Goals
Beacon to C2 server and/or exfiltrate data.
Investigative actions
Check whether the process was injected or otherwise subverted for malicious use.
UNIX LOLBIN process connected to a rare external host
Synopsis
Description
A UNIX LOLBIN connected to an external IP address or host, which is rarely connected to from the organization.
Attacker's Goals
Beacon to C2 server and/or exfiltrate data.
Investigative actions
Check whether the process was injected or otherwise subverted for malicious use.