LOLBIN connecting to a rare host

The LOLBIN Connecting to a Rare Host alert indicates that a living-off-the-land binary is communicating with an external host or domain which is rarely accessed by hosts in your organization.

Synopsis

14 Days
30 Days
N/A (single event)
1 Hour
Cortex XDR can raise this alert from any of the following combinations of data sources:
  • Corelight and XDR Agent
  • Palo Alto Networks Firewall Traffic Logs and XDR Agent
  • Third-Party Firewalls and XDR Agent
  • XDR Agent
Medium

Description

A LOLBIN connected to an external IP address or host, which are rarely connected to from the organization.

Attacker's Goals

Beacon to C2 server and/or exfiltrate data.

Investigative Actions

Check whether the process was injected to or otherwise subverted for malicious use.

Recommended For You