Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Palo Alto Networks Url Logs

Detection Modules

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Informational

Description

A Process connected to an external IP address or host, which is rarely connected to from the organization.

Attacker's Goals

Connect to a server to retrieve commands or exfiltrate data.

Investigative actions

Check whether the process was injected or otherwise subverted for malicious use.

Variations

Rare connection to external IP address or host by a java application using LDAP protocol

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Medium

Description

A Java Process that never created LDAP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol.

Attacker's Goals

Connect to a server to retrieve commands or exfiltrate data.

Investigative actions

Check whether the process was injected or otherwise subverted for malicious use.


Rare connection to external IP address or host by a java application using LDAP protocol

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Medium

Description

A Java Process that never created RMI-IIOP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol.

Attacker's Goals

Connect to a server to retrieve commands or exfiltrate data.

Investigative actions

Check whether the process was injected or otherwise subverted for malicious use.


Rare connection to external IP address or host by a java application using LDAP protocol

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Low

Description

A Java Process connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol.

Attacker's Goals

Connect to a server to retrieve commands or exfiltrate data.

Investigative actions

Check whether the process was injected or otherwise subverted for malicious use.


Rare connection to external IP address or host by a java application using RMI-IIOP protocol

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Low

Description

A Java Process connected to an external IP address or host, which is rarely connected to from the organization using RMI-IIOP protocol.

Attacker's Goals

Connect to a server to retrieve commands or exfiltrate data.

Investigative actions

Check whether the process was injected or otherwise subverted for malicious use.