Scripts connecting to external
IP addresses may be sanctioned IT scripts. However, when those external
IP addresses are only receiving connections from a few specific
endpoints in the organization, these scripts may be an indicator
of more suspicious activity. Security testers and adversaries use
offensive frameworks that employ forms of scripting which result
in this type of network activity.