Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A Process connected to an external IP address or host, which is rarely connected to from the organization.
Attacker's Goals
Connect to a server to retrieve commands or exfiltrate data.
Investigative actions
Check whether the process was injected or otherwise subverted for malicious use.
Variations
Rare connection to external IP address or host by a java application using LDAP protocolRare connection to external IP address or host by a java application using LDAP protocol
Rare connection to external IP address or host by a java application using LDAP protocol
Rare connection to external IP address or host by a java application using RMI-IIOP protocol