Detect Commonly Used Port in IBM QRadar
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as TCP:80 (HTTP), TCP:443 (HTTPS), TCP:25 (SMTP), and TCP/UDP:53 (DNS). They may use the protocol associated with the port, or a completely different protocol to evade inspection. For connections within an enclave, common ports include TCP/UDP:135 (RPC), TCP/UDP:22 (SSH), and TCP/UDP:3389 (RDP). This technique has been deprecated in favor of T1571 (Non-Standard Port) and T1071 (Application Layer Protocol), but the detection pattern remains relevant: identifying unexpected processes communicating over well-known ports that do not match their expected traffic profile.
MITRE ATT&CK
- Tactic
- Command and Control
- Canonical reference
- https://attack.mitre.org/techniques/T1043/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
destinationport,
username,
"Process Name" AS process_name,
"Command" AS command_line,
"Parent Process Name" AS parent_process,
LOGSOURCENAME(logsourceid) AS log_source,
CATEGORYNAME(category) AS event_category,
CASE
WHEN LOWER("Process Name") SIMILAR TO '%(powershell|pwsh|cmd|wscript|cscript|mshta|wmic)\.exe%' THEN 'ScriptInterpreter'
WHEN LOWER("Process Name") SIMILAR TO '%(rundll32|regsvr32|certutil|bitsadmin|msbuild|csc|installutil|regasm|regsvcs|ieexec|expand|extrac32|makecab|pcalua|hh|xwizard)\.exe%' THEN 'LOLBin'
WHEN LOWER("Process Name") SIMILAR TO '%(notepad|calc|mspaint|wordpad|write|winver|charmap|snippingtool)\.exe%' THEN 'UnusualSystemProcess'
ELSE 'Unknown'
END AS suspicion_label
FROM events
WHERE
LOGSOURCETYPEID IN (12, 13, 352)
AND destinationport IN (80, 443, 53, 25, 22, 3389, 135)
AND starttime > NOW() - 1 DAYS
AND (
LOWER("Process Name") SIMILAR TO '%(powershell|pwsh|cmd|wscript|cscript|mshta|wmic)\.exe%'
OR LOWER("Process Name") SIMILAR TO '%(rundll32|regsvr32|certutil|bitsadmin|msbuild|csc|installutil|regasm|regsvcs|ieexec|expand|extrac32|makecab|pcalua|hh|xwizard)\.exe%'
OR LOWER("Process Name") SIMILAR TO '%(notepad|calc|mspaint|wordpad|write|winver|charmap|snippingtool)\.exe%'
)
AND LOWER("Process Name") NOT SIMILAR TO '%(chrome|firefox|msedge|iexplore|microsoftedge|svchost|onedrive|teams|outlook|winlogon|lsass|services|msmpeng|wuauclt|tiworker|wermgr)\.exe%'
ORDER BY starttime DESC
LIMIT 500Identifies script interpreters, living-off-the-land binaries (LOLBins), and unusual Windows system utilities that establish network connections over commonly used service ports. These process categories have no legitimate operational reason to initiate connections on ports 80, 443, 53, 25, 22, 3389, or 135, making any such connection a strong indicator of C2 beaconing, data exfiltration, or port-blending evasion.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative PowerShell scripts connecting to internal web APIs (port 443) or DNS resolvers (port 53) during scheduled maintenance
- Software deployment processes using msiexec.exe or bitsadmin.exe to retrieve packages from corporate patch distribution servers over HTTP/HTTPS
- Security tooling or EDR agents that spawn cmd.exe for remediation tasks which then initiate network connections to management consoles
Other platforms for T1043
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell C2 Simulation over HTTPS Port 443
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the TcpClient command in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image=powershell.exe. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe, RemotePort=443, RemoteIPType=Public.
- Test 2certutil.exe HTTP Download over Port 80
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with -urlcache and -f in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:80 with Image containing certutil.exe. Sysmon Event ID 11: File Create for the output file in %TEMP%. Security Event ID 4688 if process creation auditing enabled.
- Test 3DNS Tunneling Simulation via nslookup Long Labels
Expected signal: Sysmon Event ID 3: 10 Network Connection events to 8.8.8.8:53 with Image=nslookup.exe. The high-entropy subdomain labels are visible in DNS query logs if DNS logging is enabled. Windows DNS Client Event ID 3020 in Microsoft-Windows-DNS-Client/Operational for each resolution attempt.
- Test 4bitsadmin.exe HTTPS Download over Port 443
Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /transfer and /download in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image containing bitsadmin.exe. Sysmon Event ID 11: File create event for output file on success. Security Event ID 4688 with command line if process creation auditing enabled.
References (9)
- https://attack.mitre.org/techniques/T1043/
- https://attack.mitre.org/techniques/T1571/
- https://attack.mitre.org/techniques/T1071/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1043/T1043.md
- https://www.sans.org/reading-room/whitepapers/detection/detecting-dns-tunneling-34152
- https://lolbas-project.github.io/
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1043 including response playbook, investigation guide, and atomic red team tests.