T1043 Elastic Security · Elastic

Detect Commonly Used Port in Elastic Security

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as TCP:80 (HTTP), TCP:443 (HTTPS), TCP:25 (SMTP), and TCP/UDP:53 (DNS). They may use the protocol associated with the port, or a completely different protocol to evade inspection. For connections within an enclave, common ports include TCP/UDP:135 (RPC), TCP/UDP:22 (SSH), and TCP/UDP:3389 (RDP). This technique has been deprecated in favor of T1571 (Non-Standard Port) and T1071 (Application Layer Protocol), but the detection pattern remains relevant: identifying unexpected processes communicating over well-known ports that do not match their expected traffic profile.

MITRE ATT&CK

Tactic
Command and Control
Canonical reference
https://attack.mitre.org/techniques/T1043/

Elastic Detection Query

Elastic Security (Elastic)
eql 
network where event.type == "connection" and event.outcome == "success"
  and destination.port in (80, 443, 53, 25, 22, 3389, 135)
  and not process.name in~ (
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "MicrosoftEdge.exe", "safari", "svchost.exe", "OneDrive.exe",
    "Teams.exe", "outlook.exe", "winlogon.exe", "lsass.exe",
    "services.exe", "MsMpEng.exe", "wuauclt.exe", "TiWorker.exe",
    "msiexec.exe", "wermgr.exe", "SearchIndexer.exe"
  )
  and (
    process.name in~ (
      "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
      "cscript.exe", "mshta.exe", "wmic.exe"
    )
    or process.name in~ (
      "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
      "msbuild.exe", "csc.exe", "installutil.exe", "regasm.exe",
      "regsvcs.exe", "ieexec.exe", "expand.exe", "extrac32.exe",
      "makecab.exe", "pcalua.exe", "hh.exe", "xwizard.exe"
    )
    or process.name in~ (
      "notepad.exe", "calc.exe", "mspaint.exe", "wordpad.exe",
      "write.exe", "winver.exe", "charmap.exe", "snippingtool.exe"
    )
  )
medium severity high confidence

Detects script interpreters, LOLBins, and unusual system utilities initiating network connections on commonly used ports (HTTP/HTTPS/DNS/SMTP/SSH/RDP/RPC). These processes have no legitimate reason to make outbound connections on well-known service ports and may indicate C2 communication, data exfiltration, or lateral movement blending with normal traffic.

Data Sources

Elastic Endpoint SecurityElastic Agent with network monitoringWinlogbeat with Sysmon

Required Tables

logs-endpoint.events.network-*logs-system.security-*winlogbeat-*

False Positives & Tuning

  • Administrative scripts using certutil or bitsadmin for legitimate software downloads during patch management windows
  • Developer tools like msbuild.exe or csc.exe reaching out to NuGet or package repositories over port 443 during build pipelines
  • IT automation frameworks using cmd.exe or powershell.exe to query internal DNS (port 53) or connect to management endpoints
Download portable Sigma rule (.yml)

Other platforms for T1043

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell C2 Simulation over HTTPS Port 443

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the TcpClient command in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image=powershell.exe. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe, RemotePort=443, RemoteIPType=Public.

  2. Test 2certutil.exe HTTP Download over Port 80

    Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with -urlcache and -f in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:80 with Image containing certutil.exe. Sysmon Event ID 11: File Create for the output file in %TEMP%. Security Event ID 4688 if process creation auditing enabled.

  3. Test 3DNS Tunneling Simulation via nslookup Long Labels

    Expected signal: Sysmon Event ID 3: 10 Network Connection events to 8.8.8.8:53 with Image=nslookup.exe. The high-entropy subdomain labels are visible in DNS query logs if DNS logging is enabled. Windows DNS Client Event ID 3020 in Microsoft-Windows-DNS-Client/Operational for each resolution attempt.

  4. Test 4bitsadmin.exe HTTPS Download over Port 443

    Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /transfer and /download in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image containing bitsadmin.exe. Sysmon Event ID 11: File create event for output file on success. Security Event ID 4688 with command line if process creation auditing enabled.

Last updated: 2026-04-16 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1043 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1571Non-Standard PortT1071Application Layer ProtocolT1071.001Web ProtocolsT1071.004DNST1095Non-Application Layer ProtocolT1572Protocol TunnelingT1090ProxyT1105Ingress Tool TransferT1048Exfiltration Over Alternative ProtocolT1219Remote Access Tools

Same Tactic: Command and Control

Popular Detections