Synopsis
Description
An uncommon process is connecting to an external domain that is rarely accessed within the organization.
This connection pattern is consistent with malware initiating connection to its command and control server.
Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
Investigative actions
- Identify the process contacting the remote domain and determine whether the traffic is malicious.
- Look for other endpoints on your network that are alsocontacting the suspicious domain.
- Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.
Variations
Uncommon Linux process communication to a rare external host by an automated penetration testing tool
Synopsis
Description
An uncommon process is connecting to an external domain that is rarely accessed within the organization.
This connection pattern is consistent with malware initiating connection to its command and control server.
Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
Investigative actions
- Identify the process contacting the remote domain and determine whether the traffic is malicious.
- Look for other endpoints on your network that are alsocontacting the suspicious domain.
- Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.
Uncommon Linux process communication to a rare external host involving a code sharing website
Synopsis
Description
An uncommon process is connecting to an external domain that is rarely accessed within the organization.
This connection pattern is consistent with malware initiating connection to its command and control server.
Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
Investigative actions
- Identify the process contacting the remote domain and determine whether the traffic is malicious.
- Look for other endpoints on your network that are alsocontacting the suspicious domain.
- Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.
Uncommon Linux process communication to a rare external host involving a low-prevalence process connecting to a rare Top-Level Domain
Synopsis
Description
An uncommon process is connecting to an external domain that is rarely accessed within the organization.
This connection pattern is consistent with malware initiating connection to its command and control server.
Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
Investigative actions
- Identify the process contacting the remote domain and determine whether the traffic is malicious.
- Look for other endpoints on your network that are alsocontacting the suspicious domain.
- Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.
Uncommon Linux process communication to a rare external host with an external IP in the command line
Synopsis
Description
An uncommon process is connecting to an external domain that is rarely accessed within the organization.
This connection pattern is consistent with malware initiating connection to its command and control server.
Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
Investigative actions
- Identify the process contacting the remote domain and determine whether the traffic is malicious.
- Look for other endpoints on your network that are alsocontacting the suspicious domain.
- Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.
Uncommon Linux process communication to a rare external host using a data transfer tool
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An uncommon process is connecting to an external domain that is rarely accessed within the organization.
This connection pattern is consistent with malware initiating connection to its command and control server.
Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
Investigative actions
- Identify the process contacting the remote domain and determine whether the traffic is malicious.
- Look for other endpoints on your network that are alsocontacting the suspicious domain.
- Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.
Uncommon Linux process communication to a rare external host identified as global anomaly
Synopsis
Description
An uncommon process is connecting to an external domain that is rarely accessed within the organization.
This connection pattern is consistent with malware initiating connection to its command and control server.
Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
Investigative actions
- Identify the process contacting the remote domain and determine whether the traffic is malicious.
- Look for other endpoints on your network that are alsocontacting the suspicious domain.
- Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.