Abnormal Recurring Communications to a Rare IP

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

Detector Tags

NDR C2 Detection

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Non-Application Layer Protocol (T1095)

Severity

Informational

Description

Abnormal communications were seen from an internal entity to a rare external address. This could be a case of beaconing to a C2 Server.

Attacker's Goals

Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.

Investigative actions

  • Identify if the external IP address belongs to a reputable organization or an asset used in a public cloud.
  • Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used, or unusual ports or volumes accessed.
  • View all related traffic generated by the suspicious process to understand the purpose.
  • Look for other endpoints on your network that are also contacting the suspicious IP address.
  • Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.

Variations

Abnormal Recurring Communications to a Rare IP With a Port Commonly Used by Attack Platforms

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Non-Application Layer Protocol (T1095)

Severity

Informational

Description

Abnormal communications were seen from an internal entity to a rare external address. This could be a case of beaconing to a C2 Server.

Attacker's Goals

Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.

Investigative actions

  • Identify if the external IP address belongs to a reputable organization or an asset used in a public cloud.
  • Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used, or unusual ports or volumes accessed.
  • View all related traffic generated by the suspicious process to understand the purpose.
  • Look for other endpoints on your network that are also contacting the suspicious IP address.
  • Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.


Abnormal Recurring Communications to a Rare IP With a NetBIOS Port

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Non-Application Layer Protocol (T1095)

Severity

Informational

Description

Abnormal communications were seen from an internal entity to a rare external address. This could be a case of beaconing to a C2 Server.

Attacker's Goals

Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.

Investigative actions

  • Identify if the external IP address belongs to a reputable organization or an asset used in a public cloud.
  • Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used, or unusual ports or volumes accessed.
  • View all related traffic generated by the suspicious process to understand the purpose.
  • Look for other endpoints on your network that are also contacting the suspicious IP address.
  • Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.


Abnormal Recurring Communications to a Rare IP Using a Peer to Peer Protocol

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Non-Application Layer Protocol (T1095)

Severity

Informational

Description

Abnormal communications were seen from an internal entity to a rare external address. This could be a case of beaconing to a C2 Server.

Attacker's Goals

Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.

Investigative actions

  • Identify if the external IP address belongs to a reputable organization or an asset used in a public cloud.
  • Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used, or unusual ports or volumes accessed.
  • View all related traffic generated by the suspicious process to understand the purpose.
  • Look for other endpoints on your network that are also contacting the suspicious IP address.
  • Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.


Abnormal Recurring Communications to a Rare IP Using a Gaming Protocol

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Non-Application Layer Protocol (T1095)

Severity

Informational

Description

Abnormal communications were seen from an internal entity to a rare external address. This could be a case of beaconing to a C2 Server.

Attacker's Goals

Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.

Investigative actions

  • Identify if the external IP address belongs to a reputable organization or an asset used in a public cloud.
  • Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used, or unusual ports or volumes accessed.
  • View all related traffic generated by the suspicious process to understand the purpose.
  • Look for other endpoints on your network that are also contacting the suspicious IP address.
  • Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.


Abnormal Recurring Communications to a Rare IP Using a Video and Audio Conversation Protocol

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Non-Application Layer Protocol (T1095)

Severity

Informational

Description

Abnormal communications were seen from an internal entity to a rare external address. This could be a case of beaconing to a C2 Server.

Attacker's Goals

Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.

Investigative actions

  • Identify if the external IP address belongs to a reputable organization or an asset used in a public cloud.
  • Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used, or unusual ports or volumes accessed.
  • View all related traffic generated by the suspicious process to understand the purpose.
  • Look for other endpoints on your network that are also contacting the suspicious IP address.
  • Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.


Abnormal Recurring Communications to a Rare IP From an Unmanaged Host

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Non-Application Layer Protocol (T1095)

Severity

Informational

Description

Abnormal communications were seen from an internal entity to a rare external address. This could be a case of beaconing to a C2 Server.

Attacker's Goals

Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.

Investigative actions

  • Identify if the external IP address belongs to a reputable organization or an asset used in a public cloud.
  • Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used, or unusual ports or volumes accessed.
  • View all related traffic generated by the suspicious process to understand the purpose.
  • Look for other endpoints on your network that are also contacting the suspicious IP address.
  • Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.