T1043

Commonly Used Port

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as TCP:80 (HTTP), TCP:443 (HTTPS), TCP:25 (SMTP), and TCP/UDP:53 (DNS). They may use the protocol associated with the port, or a completely different protocol to evade inspection. For connections within an enclave, common ports include TCP/UDP:135 (RPC), TCP/UDP:22 (SSH), and TCP/UDP:3389 (RDP). This technique has been deprecated in favor of T1571 (Non-Standard Port) and T1071 (Application Layer Protocol), but the detection pattern remains relevant: identifying unexpected processes communicating over well-known ports that do not match their expected traffic profile.

Microsoft Sentinel / Defender

kusto

// Detect unusual processes communicating over commonly used ports
// Focus: non-browser/non-service processes using HTTP/HTTPS/DNS/SMTP/RDP/SSH/RPC
let CommonPorts = dynamic([80, 443, 53, 25, 22, 3389, 135]);
let LegitimateHTTPProcesses = dynamic([
  "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "safari",
  "svchost.exe", "MicrosoftEdge.exe", "OneDrive.exe", "Teams.exe",
  "outlook.exe", "winlogon.exe", "lsass.exe", "services.exe",
  "MsMpEng.exe", "wuauclt.exe", "WindowsUpdate", "TiWorker.exe",
  "msiexec.exe", "wermgr.exe", "SearchIndexer.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (CommonPorts)
| where ActionType == "ConnectionSuccess"
// Exclude obviously legitimate processes
| where InitiatingProcessFileName !in~ (LegitimateHTTPProcesses)
// Exclude internal RFC1918 destinations for some ports (keep RDP/SSH lateral movement)
| extend IsInternal = (RemoteIPType == "Private")
// Flag suspicious process categories
| extend IsScriptInterpreter = InitiatingProcessFileName in~ (
    "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
    "cscript.exe", "mshta.exe", "wmic.exe"
  )
| extend IsLOLBin = InitiatingProcessFileName in~ (
    "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
    "msbuild.exe", "csc.exe", "installutil.exe", "regasm.exe",
    "regsvcs.exe", "ieexec.exe", "msiexec.exe", "expand.exe",
    "extrac32.exe", "makecab.exe", "pcalua.exe", "replace.exe",
    "hh.exe", "infdefaultinstall.exe", "xwizard.exe"
  )
| extend IsUnusualSystem = InitiatingProcessFileName in~ (
    "notepad.exe", "calc.exe", "mspaint.exe", "wordpad.exe",
    "write.exe", "winver.exe", "charmap.exe", "snippingtool.exe"
  )
| where IsScriptInterpreter or IsLOLBin or IsUnusualSystem
| project
    Timestamp,
    DeviceName,
    AccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    RemoteIP,
    RemotePort,
    RemoteIPType,
    IsInternal,
    IsScriptInterpreter,
    IsLOLBin,
    IsUnusualSystem
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Scripting engines (PowerShell, cscript) used by legitimate IT automation tools to call REST APIs over HTTPS (port 443) — common with Ansible, Chef, Puppet, SCCM
certutil.exe and bitsadmin.exe used by Windows Update or software distribution systems to fetch payloads over HTTP/HTTPS
msiexec.exe downloading MSI packages from internal or cloud distribution points over port 80/443
IT monitoring agents (SolarWinds, Datadog, Zabbix) using script-based checks that make HTTP requests
Developer workstations where build tools (msbuild.exe, csc.exe) reach out to NuGet package feeds over HTTPS

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval DestPort=tonumber(DestinationPort)
| where DestPort IN (80, 443, 53, 25, 22, 3389, 135)
| eval ImageBasename=replace(Image, ".*\\\\", "")
| eval IsScriptInterpreter=case(
    match(lower(ImageBasename), "(powershell|pwsh|cmd|wscript|cscript|mshta|wmic)\.exe"), 1,
    true(), 0
  )
| eval IsLOLBin=case(
    match(lower(ImageBasename), "(rundll32|regsvr32|certutil|bitsadmin|msbuild|csc|installutil|regasm|regsvcs|ieexec|expand|extrac32|makecab|pcalua|hh|xwizard)\.exe"), 1,
    true(), 0
  )
| eval IsUnusualSystem=case(
    match(lower(ImageBasename), "(notepad|calc|mspaint|wordpad|write|winver|charmap|snippingtool)\.exe"), 1,
    true(), 0
  )
| where IsScriptInterpreter=1 OR IsLOLBin=1 OR IsUnusualSystem=1
| eval IsInternal=if(match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)"), 1, 0)
| eval SuspicionLabel=case(
    IsScriptInterpreter=1, "ScriptInterpreter",
    IsLOLBin=1, "LOLBin",
    IsUnusualSystem=1, "UnusualSystemProcess",
    true(), "Unknown"
  )
| table _time, host, User, ImageBasename, CommandLine, ParentImage, DestinationIp, DestPort, IsInternal, SuspicionLabel
| sort - _time

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

PowerShell-based IT automation making REST API calls to internal or cloud services over HTTPS (port 443)
certutil.exe or bitsadmin.exe used by enterprise software distribution systems to retrieve payloads over HTTP/HTTPS
Build servers executing csc.exe or msbuild.exe that reach out to NuGet or internal artifact repositories
Monitoring scripts using wscript.exe or cscript.exe to query local management interfaces over HTTP
Remote desktop client components (mstsc.exe) and SSH utilities launched by automation over their respective ports

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  CASE
    WHEN LOWER("Process Name") SIMILAR TO '%(powershell|pwsh|cmd|wscript|cscript|mshta|wmic)\.exe%' THEN 'ScriptInterpreter'
    WHEN LOWER("Process Name") SIMILAR TO '%(rundll32|regsvr32|certutil|bitsadmin|msbuild|csc|installutil|regasm|regsvcs|ieexec|expand|extrac32|makecab|pcalua|hh|xwizard)\.exe%' THEN 'LOLBin'
    WHEN LOWER("Process Name") SIMILAR TO '%(notepad|calc|mspaint|wordpad|write|winver|charmap|snippingtool)\.exe%' THEN 'UnusualSystemProcess'
    ELSE 'Unknown'
  END AS suspicion_label
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 352)
  AND destinationport IN (80, 443, 53, 25, 22, 3389, 135)
  AND starttime > NOW() - 1 DAYS
  AND (
    LOWER("Process Name") SIMILAR TO '%(powershell|pwsh|cmd|wscript|cscript|mshta|wmic)\.exe%'
    OR LOWER("Process Name") SIMILAR TO '%(rundll32|regsvr32|certutil|bitsadmin|msbuild|csc|installutil|regasm|regsvcs|ieexec|expand|extrac32|makecab|pcalua|hh|xwizard)\.exe%'
    OR LOWER("Process Name") SIMILAR TO '%(notepad|calc|mspaint|wordpad|write|winver|charmap|snippingtool)\.exe%'
  )
  AND LOWER("Process Name") NOT SIMILAR TO '%(chrome|firefox|msedge|iexplore|microsoftedge|svchost|onedrive|teams|outlook|winlogon|lsass|services|msmpeng|wuauclt|tiworker|wermgr)\.exe%'
ORDER BY starttime DESC
LIMIT 500

medium severity medium confidence

Data Sources

Windows Security Event Log via QRadar DSM Sysmon via QRadar Universal DSM QRadar Network Activity (flows)

Required Tables

events

False Positives

Legitimate administrative PowerShell scripts connecting to internal web APIs (port 443) or DNS resolvers (port 53) during scheduled maintenance
Software deployment processes using msiexec.exe or bitsadmin.exe to retrieve packages from corporate patch distribution servers over HTTP/HTTPS
Security tooling or EDR agents that spawn cmd.exe for remediation tasks which then initiate network connections to management consoles

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/events
| where EventID = "3" or event_type = "network_connection"
| parse field=Image "*\\*" as image_dir, image_basename nodrop
| if(isNull(image_basename), Image, image_basename) as process_name
| where DestinationPort in ("80", "443", "53", "25", "22", "3389", "135") or dest_port in (80, 443, 53, 25, 22, 3389, 135)
| where !(process_name in ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "MicrosoftEdge.exe", "svchost.exe", "OneDrive.exe", "Teams.exe",
    "outlook.exe", "winlogon.exe", "lsass.exe", "services.exe",
    "MsMpEng.exe", "wuauclt.exe", "TiWorker.exe", "wermgr.exe",
    "SearchIndexer.exe"))
| eval IsScriptInterpreter = if(matches(toLowerCase(process_name), "(powershell|pwsh|cmd|wscript|cscript|mshta|wmic)\\.exe"), 1, 0)
| eval IsLOLBin = if(matches(toLowerCase(process_name), "(rundll32|regsvr32|certutil|bitsadmin|msbuild|csc|installutil|regasm|regsvcs|ieexec|expand|extrac32|makecab|pcalua|hh|xwizard)\\.exe"), 1, 0)
| eval IsUnusualSystem = if(matches(toLowerCase(process_name), "(notepad|calc|mspaint|wordpad|write|winver|charmap|snippingtool)\\.exe"), 1, 0)
| where IsScriptInterpreter = 1 or IsLOLBin = 1 or IsUnusualSystem = 1
| eval SuspicionLabel = if(IsScriptInterpreter=1, "ScriptInterpreter",
    if(IsLOLBin=1, "LOLBin",
    if(IsUnusualSystem=1, "UnusualSystemProcess", "Unknown")))
| eval IsInternal = if(matches(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[0-1])\\.|192\\.168\\.)"), "true", "false")
| fields _messageTime, Computer, User, process_name, CommandLine, ParentImage, DestinationIp, DestinationPort, IsInternal, SuspicionLabel
| sort by _messageTime desc

medium severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Source Sysmon event forwarding via Sumo Logic Sumo Logic Cloud SIEM Enterprise (CSE) normalized events

Required Tables

windows/sysmon endpoint/events

False Positives

Automated backup or sync tools that spawn cmd.exe sub-processes to transfer data over HTTPS (port 443) to cloud storage endpoints
Penetration testing or red team exercises where LOLBins are deliberately used to simulate adversary techniques in authorized assessments
Legacy internal applications built as VBScript or WSH wrappers that legitimately communicate with internal web services or DNS over standard ports

Google Chronicle / SecOps

yaral

rule t1043_commonly_used_port_lolbin_network {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects script interpreters, LOLBins, and unusual Windows system utilities communicating over commonly used network ports, indicating potential C2 blending or exfiltration evasion."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1043"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1043/"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (80, 443, 53, 25, 22, 3389, 135)
    (
      re.regex($e.principal.process.file.full_path, `(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|wmic)\.exe$`)
      or re.regex($e.principal.process.file.full_path, `(?i)(rundll32|regsvr32|certutil|bitsadmin|msbuild|csc|installutil|regasm|regsvcs|ieexec|expand|extrac32|makecab|pcalua|hh|xwizard)\.exe$`)
      or re.regex($e.principal.process.file.full_path, `(?i)(notepad|calc|mspaint|wordpad|write|winver|charmap|snippingtool)\.exe$`)
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(chrome|firefox|msedge|iexplore|microsoftedge|svchost|onedrive|teams|outlook|winlogon|lsass|services|msmpeng|wuauclt|tiworker|wermgr|searchindexer)\.exe$`)

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle with Windows endpoint telemetry Chronicle Unified Data Model (UDM) network events Endpoint Detection and Response (EDR) forwarding to Chronicle

Required Tables

UDM network_connection events

False Positives

Enterprise software packaging tools using msiexec.exe to pull installers over HTTPS from internal distribution servers during software deployment windows
IT operations teams running PowerShell scripts that query internal DNS servers or make REST API calls to configuration management endpoints
Developer workstations where build tools like msbuild.exe or csc.exe make outbound connections to package repositories or license servers over standard ports

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkConnectIP4
| DestinationPort in [80, 443, 53, 25, 22, 3389, 135]
| regex(field=ImageFileName, regex="(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|wmic|rundll32|regsvr32|certutil|bitsadmin|msbuild|csc\.exe|installutil|regasm|regsvcs|ieexec|expand\.exe|extrac32|makecab|pcalua|hh\.exe|xwizard|notepad|calc\.exe|mspaint|wordpad|write\.exe|winver|charmap|snippingtool)\.exe$")
| !regex(field=ImageFileName, regex="(?i)(chrome|firefox|msedge|iexplore|microsoftedge|svchost|onedrive|teams|outlook|winlogon|lsass|services|msmpeng|wuauclt|tiworker|wermgr|searchindexer)\.exe$")
| ProcessName := lowercase(ImageFileName)
| SuspicionLabel := case(
    regex(ProcessName, "(powershell|pwsh|cmd|wscript|cscript|mshta|wmic)\.exe$"), "ScriptInterpreter",
    regex(ProcessName, "(rundll32|regsvr32|certutil|bitsadmin|msbuild|csc\.exe|installutil|regasm|regsvcs|ieexec|expand\.exe|extrac32|makecab|pcalua|hh\.exe|xwizard)\.exe$"), "LOLBin",
    regex(ProcessName, "(notepad|calc\.exe|mspaint|wordpad|write\.exe|winver|charmap|snippingtool)\.exe$"), "UnusualSystemProcess",
    default="Unknown"
  )
| IsInternal := regex(DestinationIpAddress, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[0-1])\\.|192\\.168\\.)")
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DestinationIpAddress, DestinationPort, IsInternal, SuspicionLabel])
| sort(timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Data Replicator (FDR) event stream CrowdStrike LogScale (formerly Humio)

Required Tables

NetworkConnectIP4 ProcessRollup2

False Positives

Falcon-managed scripts or response actions that spawn powershell.exe to execute remediation commands, which may briefly open connections to CrowdStrike cloud endpoints over port 443
Internal SOC tooling that uses cmd.exe or wscript.exe as orchestration wrappers for automated detection and response workflows connecting to SIEM or SOAR APIs
Legitimate use of certutil.exe or bitsadmin.exe by Windows Update or WSUS infrastructure to download patches and certificates from Microsoft CDN endpoints over HTTP/HTTPS

Last updated: 2026-04-16 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1043 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Commonly Used Port

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Command and Control

Popular Detections