Detect Commonly Used Port in CrowdStrike LogScale
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as TCP:80 (HTTP), TCP:443 (HTTPS), TCP:25 (SMTP), and TCP/UDP:53 (DNS). They may use the protocol associated with the port, or a completely different protocol to evade inspection. For connections within an enclave, common ports include TCP/UDP:135 (RPC), TCP/UDP:22 (SSH), and TCP/UDP:3389 (RDP). This technique has been deprecated in favor of T1571 (Non-Standard Port) and T1071 (Application Layer Protocol), but the detection pattern remains relevant: identifying unexpected processes communicating over well-known ports that do not match their expected traffic profile.
MITRE ATT&CK
- Tactic
- Command and Control
- Canonical reference
- https://attack.mitre.org/techniques/T1043/
LogScale Detection Query
#event_simpleName=NetworkConnectIP4
| DestinationPort in [80, 443, 53, 25, 22, 3389, 135]
| regex(field=ImageFileName, regex="(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|wmic|rundll32|regsvr32|certutil|bitsadmin|msbuild|csc\.exe|installutil|regasm|regsvcs|ieexec|expand\.exe|extrac32|makecab|pcalua|hh\.exe|xwizard|notepad|calc\.exe|mspaint|wordpad|write\.exe|winver|charmap|snippingtool)\.exe$")
| !regex(field=ImageFileName, regex="(?i)(chrome|firefox|msedge|iexplore|microsoftedge|svchost|onedrive|teams|outlook|winlogon|lsass|services|msmpeng|wuauclt|tiworker|wermgr|searchindexer)\.exe$")
| ProcessName := lowercase(ImageFileName)
| SuspicionLabel := case(
regex(ProcessName, "(powershell|pwsh|cmd|wscript|cscript|mshta|wmic)\.exe$"), "ScriptInterpreter",
regex(ProcessName, "(rundll32|regsvr32|certutil|bitsadmin|msbuild|csc\.exe|installutil|regasm|regsvcs|ieexec|expand\.exe|extrac32|makecab|pcalua|hh\.exe|xwizard)\.exe$"), "LOLBin",
regex(ProcessName, "(notepad|calc\.exe|mspaint|wordpad|write\.exe|winver|charmap|snippingtool)\.exe$"), "UnusualSystemProcess",
default="Unknown"
)
| IsInternal := regex(DestinationIpAddress, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[0-1])\\.|192\\.168\\.)")
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DestinationIpAddress, DestinationPort, IsInternal, SuspicionLabel])
| sort(timestamp, order=desc)CrowdStrike LogScale query using Falcon NetworkConnectIP4 telemetry to identify script interpreters, LOLBins, and anomalous Windows utilities making network connections to commonly used service ports. Leverages Falcon's high-fidelity process genealogy data to surface port-blending C2 and exfiltration activity that would blend with normal web traffic to perimeter defenses.
Data Sources
Required Tables
False Positives & Tuning
- Falcon-managed scripts or response actions that spawn powershell.exe to execute remediation commands, which may briefly open connections to CrowdStrike cloud endpoints over port 443
- Internal SOC tooling that uses cmd.exe or wscript.exe as orchestration wrappers for automated detection and response workflows connecting to SIEM or SOAR APIs
- Legitimate use of certutil.exe or bitsadmin.exe by Windows Update or WSUS infrastructure to download patches and certificates from Microsoft CDN endpoints over HTTP/HTTPS
Other platforms for T1043
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell C2 Simulation over HTTPS Port 443
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the TcpClient command in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image=powershell.exe. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe, RemotePort=443, RemoteIPType=Public.
- Test 2certutil.exe HTTP Download over Port 80
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with -urlcache and -f in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:80 with Image containing certutil.exe. Sysmon Event ID 11: File Create for the output file in %TEMP%. Security Event ID 4688 if process creation auditing enabled.
- Test 3DNS Tunneling Simulation via nslookup Long Labels
Expected signal: Sysmon Event ID 3: 10 Network Connection events to 8.8.8.8:53 with Image=nslookup.exe. The high-entropy subdomain labels are visible in DNS query logs if DNS logging is enabled. Windows DNS Client Event ID 3020 in Microsoft-Windows-DNS-Client/Operational for each resolution attempt.
- Test 4bitsadmin.exe HTTPS Download over Port 443
Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /transfer and /download in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image containing bitsadmin.exe. Sysmon Event ID 11: File create event for output file on success. Security Event ID 4688 with command line if process creation auditing enabled.
References (9)
- https://attack.mitre.org/techniques/T1043/
- https://attack.mitre.org/techniques/T1571/
- https://attack.mitre.org/techniques/T1071/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1043/T1043.md
- https://www.sans.org/reading-room/whitepapers/detection/detecting-dns-tunneling-34152
- https://lolbas-project.github.io/
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1043 including response playbook, investigation guide, and atomic red team tests.