T1043 Microsoft Sentinel · KQL

Detect Commonly Used Port in Microsoft Sentinel

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as TCP:80 (HTTP), TCP:443 (HTTPS), TCP:25 (SMTP), and TCP/UDP:53 (DNS). They may use the protocol associated with the port, or a completely different protocol to evade inspection. For connections within an enclave, common ports include TCP/UDP:135 (RPC), TCP/UDP:22 (SSH), and TCP/UDP:3389 (RDP). This technique has been deprecated in favor of T1571 (Non-Standard Port) and T1071 (Application Layer Protocol), but the detection pattern remains relevant: identifying unexpected processes communicating over well-known ports that do not match their expected traffic profile.

MITRE ATT&CK

Tactic
Command and Control
Canonical reference
https://attack.mitre.org/techniques/T1043/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect unusual processes communicating over commonly used ports
// Focus: non-browser/non-service processes using HTTP/HTTPS/DNS/SMTP/RDP/SSH/RPC
let CommonPorts = dynamic([80, 443, 53, 25, 22, 3389, 135]);
let LegitimateHTTPProcesses = dynamic([
  "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "safari",
  "svchost.exe", "MicrosoftEdge.exe", "OneDrive.exe", "Teams.exe",
  "outlook.exe", "winlogon.exe", "lsass.exe", "services.exe",
  "MsMpEng.exe", "wuauclt.exe", "WindowsUpdate", "TiWorker.exe",
  "msiexec.exe", "wermgr.exe", "SearchIndexer.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (CommonPorts)
| where ActionType == "ConnectionSuccess"
// Exclude obviously legitimate processes
| where InitiatingProcessFileName !in~ (LegitimateHTTPProcesses)
// Exclude internal RFC1918 destinations for some ports (keep RDP/SSH lateral movement)
| extend IsInternal = (RemoteIPType == "Private")
// Flag suspicious process categories
| extend IsScriptInterpreter = InitiatingProcessFileName in~ (
    "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
    "cscript.exe", "mshta.exe", "wmic.exe"
  )
| extend IsLOLBin = InitiatingProcessFileName in~ (
    "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
    "msbuild.exe", "csc.exe", "installutil.exe", "regasm.exe",
    "regsvcs.exe", "ieexec.exe", "msiexec.exe", "expand.exe",
    "extrac32.exe", "makecab.exe", "pcalua.exe", "replace.exe",
    "hh.exe", "infdefaultinstall.exe", "xwizard.exe"
  )
| extend IsUnusualSystem = InitiatingProcessFileName in~ (
    "notepad.exe", "calc.exe", "mspaint.exe", "wordpad.exe",
    "write.exe", "winver.exe", "charmap.exe", "snippingtool.exe"
  )
| where IsScriptInterpreter or IsLOLBin or IsUnusualSystem
| project
    Timestamp,
    DeviceName,
    AccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    RemoteIP,
    RemotePort,
    RemoteIPType,
    IsInternal,
    IsScriptInterpreter,
    IsLOLBin,
    IsUnusualSystem
| sort by Timestamp desc
medium severity medium confidence

Detects unusual processes (script interpreters, LOLBins, desktop utilities) making outbound network connections over commonly used ports (80, 443, 53, 25, 22, 3389, 135). Adversaries use these ports to blend C2 traffic with legitimate services. The query focuses on process-port anomalies: processes that have no business reason to initiate connections on these well-known ports, which is a strong indicator of protocol camouflage or C2 channel abuse.

Data Sources

Network Traffic: Network Connection CreationProcess: Process CreationMicrosoft Defender for Endpoint

Required Tables

DeviceNetworkEventsDeviceProcessEvents

False Positives & Tuning

  • Scripting engines (PowerShell, cscript) used by legitimate IT automation tools to call REST APIs over HTTPS (port 443) — common with Ansible, Chef, Puppet, SCCM
  • certutil.exe and bitsadmin.exe used by Windows Update or software distribution systems to fetch payloads over HTTP/HTTPS
  • msiexec.exe downloading MSI packages from internal or cloud distribution points over port 80/443
  • IT monitoring agents (SolarWinds, Datadog, Zabbix) using script-based checks that make HTTP requests
  • Developer workstations where build tools (msbuild.exe, csc.exe) reach out to NuGet package feeds over HTTPS
Download portable Sigma rule (.yml)

Other platforms for T1043

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell C2 Simulation over HTTPS Port 443

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the TcpClient command in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image=powershell.exe. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe, RemotePort=443, RemoteIPType=Public.

  2. Test 2certutil.exe HTTP Download over Port 80

    Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with -urlcache and -f in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:80 with Image containing certutil.exe. Sysmon Event ID 11: File Create for the output file in %TEMP%. Security Event ID 4688 if process creation auditing enabled.

  3. Test 3DNS Tunneling Simulation via nslookup Long Labels

    Expected signal: Sysmon Event ID 3: 10 Network Connection events to 8.8.8.8:53 with Image=nslookup.exe. The high-entropy subdomain labels are visible in DNS query logs if DNS logging is enabled. Windows DNS Client Event ID 3020 in Microsoft-Windows-DNS-Client/Operational for each resolution attempt.

  4. Test 4bitsadmin.exe HTTPS Download over Port 443

    Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /transfer and /download in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image containing bitsadmin.exe. Sysmon Event ID 11: File create event for output file on success. Security Event ID 4688 with command line if process creation auditing enabled.

Last updated: 2026-04-16 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1043 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1571Non-Standard PortT1071Application Layer ProtocolT1071.001Web ProtocolsT1071.004DNST1095Non-Application Layer ProtocolT1572Protocol TunnelingT1090ProxyT1105Ingress Tool TransferT1048Exfiltration Over Alternative ProtocolT1219Remote Access Tools

Same Tactic: Command and Control

Popular Detections