Recurring rare domain access from an unsigned process

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2025-04-29
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

14 Days

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Low

Description

An unsigned process is periodically connecting to an external domain that it and its peers rarely use.
Access to this domain has occurred repeatedly over multiple days.
This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

Attacker's Goals

Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.

Investigative actions

  • Identify the process contacting the remote domain and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the suspicious domain.
  • Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.

Variations

Recurring rare domain access from an uncommon unsigned process

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Medium

Description

An unsigned process is periodically connecting to an external domain that it and its peers rarely use.
Access to this domain has occurred repeatedly over multiple days.
This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

Attacker's Goals

Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.

Investigative actions

  • Identify the process contacting the remote domain and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the suspicious domain.
  • Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.


Recurring access to a rare domain associated with known threats

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Medium

Description

An unsigned process is periodically connecting to an external domain that it and its peers rarely use.
Access to this domain has occurred repeatedly over multiple days.
This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

Attacker's Goals

Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.

Investigative actions

  • Identify the process contacting the remote domain and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the suspicious domain.
  • Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.