Script Connecting to Rare External Host


14 Days
30 Days
N/A (single event)
6 Hours
XDR Agent
For increased accuracy, you can also add the following optional data source: Palo Alto Networks Firewall Logs
No module required


Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

Attacker's Goals

Connect its Command and Control server.

Investigative Actions

  • Check the external host the script connects to.
  • Fetch and investigate the executed script.

Recommended For You