Windows LOLBIN executable connected to a rare external host

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Medium

Description

Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

Attacker's Goals

Connect to the attacker's Command and Control server.

Investigative actions

  • Check the external address the process connects to.

Variations

Windows LOLBIN executable connected to a rare external host on a newly activated agent

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Low

Description

Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

Attacker's Goals

Connect to the attacker's Command and Control server.

Investigative actions

  • Check the external address the process connects to.


Windows LOLBIN executable connected to a rare external host

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Medium

Description

Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

Attacker's Goals

Connect to the attacker's Command and Control server.

Investigative actions

  • Check the external address the process connects to.