Detect Commonly Used Port in Splunk
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as TCP:80 (HTTP), TCP:443 (HTTPS), TCP:25 (SMTP), and TCP/UDP:53 (DNS). They may use the protocol associated with the port, or a completely different protocol to evade inspection. For connections within an enclave, common ports include TCP/UDP:135 (RPC), TCP/UDP:22 (SSH), and TCP/UDP:3389 (RDP). This technique has been deprecated in favor of T1571 (Non-Standard Port) and T1071 (Application Layer Protocol), but the detection pattern remains relevant: identifying unexpected processes communicating over well-known ports that do not match their expected traffic profile.
MITRE ATT&CK
- Tactic
- Command and Control
- Canonical reference
- https://attack.mitre.org/techniques/T1043/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval DestPort=tonumber(DestinationPort)
| where DestPort IN (80, 443, 53, 25, 22, 3389, 135)
| eval ImageBasename=replace(Image, ".*\\\\", "")
| eval IsScriptInterpreter=case(
match(lower(ImageBasename), "(powershell|pwsh|cmd|wscript|cscript|mshta|wmic)\.exe"), 1,
true(), 0
)
| eval IsLOLBin=case(
match(lower(ImageBasename), "(rundll32|regsvr32|certutil|bitsadmin|msbuild|csc|installutil|regasm|regsvcs|ieexec|expand|extrac32|makecab|pcalua|hh|xwizard)\.exe"), 1,
true(), 0
)
| eval IsUnusualSystem=case(
match(lower(ImageBasename), "(notepad|calc|mspaint|wordpad|write|winver|charmap|snippingtool)\.exe"), 1,
true(), 0
)
| where IsScriptInterpreter=1 OR IsLOLBin=1 OR IsUnusualSystem=1
| eval IsInternal=if(match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)"), 1, 0)
| eval SuspicionLabel=case(
IsScriptInterpreter=1, "ScriptInterpreter",
IsLOLBin=1, "LOLBin",
IsUnusualSystem=1, "UnusualSystemProcess",
true(), "Unknown"
)
| table _time, host, User, ImageBasename, CommandLine, ParentImage, DestinationIp, DestPort, IsInternal, SuspicionLabel
| sort - _timeDetects script interpreters, LOLBins, and unusual system processes initiating network connections over commonly used ports (80, 443, 53, 25, 22, 3389, 135) via Sysmon Event ID 3 (Network Connection). Classifies each match by suspicion category (ScriptInterpreter, LOLBin, UnusualSystemProcess) to aid analyst triage. Protocol-port abuse by these process types is a strong indicator of C2 camouflage or adversary-controlled beaconing.
Data Sources
Required Sourcetypes
False Positives & Tuning
- PowerShell-based IT automation making REST API calls to internal or cloud services over HTTPS (port 443)
- certutil.exe or bitsadmin.exe used by enterprise software distribution systems to retrieve payloads over HTTP/HTTPS
- Build servers executing csc.exe or msbuild.exe that reach out to NuGet or internal artifact repositories
- Monitoring scripts using wscript.exe or cscript.exe to query local management interfaces over HTTP
- Remote desktop client components (mstsc.exe) and SSH utilities launched by automation over their respective ports
Other platforms for T1043
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell C2 Simulation over HTTPS Port 443
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the TcpClient command in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image=powershell.exe. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe, RemotePort=443, RemoteIPType=Public.
- Test 2certutil.exe HTTP Download over Port 80
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with -urlcache and -f in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:80 with Image containing certutil.exe. Sysmon Event ID 11: File Create for the output file in %TEMP%. Security Event ID 4688 if process creation auditing enabled.
- Test 3DNS Tunneling Simulation via nslookup Long Labels
Expected signal: Sysmon Event ID 3: 10 Network Connection events to 8.8.8.8:53 with Image=nslookup.exe. The high-entropy subdomain labels are visible in DNS query logs if DNS logging is enabled. Windows DNS Client Event ID 3020 in Microsoft-Windows-DNS-Client/Operational for each resolution attempt.
- Test 4bitsadmin.exe HTTPS Download over Port 443
Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /transfer and /download in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image containing bitsadmin.exe. Sysmon Event ID 11: File create event for output file on success. Security Event ID 4688 with command line if process creation auditing enabled.
References (9)
- https://attack.mitre.org/techniques/T1043/
- https://attack.mitre.org/techniques/T1571/
- https://attack.mitre.org/techniques/T1071/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1043/T1043.md
- https://www.sans.org/reading-room/whitepapers/detection/detecting-dns-tunneling-34152
- https://lolbas-project.github.io/
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1043 including response playbook, investigation guide, and atomic red team tests.