Detect Commonly Used Port in Sumo Logic CSE
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as TCP:80 (HTTP), TCP:443 (HTTPS), TCP:25 (SMTP), and TCP/UDP:53 (DNS). They may use the protocol associated with the port, or a completely different protocol to evade inspection. For connections within an enclave, common ports include TCP/UDP:135 (RPC), TCP/UDP:22 (SSH), and TCP/UDP:3389 (RDP). This technique has been deprecated in favor of T1571 (Non-Standard Port) and T1071 (Application Layer Protocol), but the detection pattern remains relevant: identifying unexpected processes communicating over well-known ports that do not match their expected traffic profile.
MITRE ATT&CK
- Tactic
- Command and Control
- Canonical reference
- https://attack.mitre.org/techniques/T1043/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/events
| where EventID = "3" or event_type = "network_connection"
| parse field=Image "*\\*" as image_dir, image_basename nodrop
| if(isNull(image_basename), Image, image_basename) as process_name
| where DestinationPort in ("80", "443", "53", "25", "22", "3389", "135") or dest_port in (80, 443, 53, 25, 22, 3389, 135)
| where !(process_name in ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
"MicrosoftEdge.exe", "svchost.exe", "OneDrive.exe", "Teams.exe",
"outlook.exe", "winlogon.exe", "lsass.exe", "services.exe",
"MsMpEng.exe", "wuauclt.exe", "TiWorker.exe", "wermgr.exe",
"SearchIndexer.exe"))
| eval IsScriptInterpreter = if(matches(toLowerCase(process_name), "(powershell|pwsh|cmd|wscript|cscript|mshta|wmic)\\.exe"), 1, 0)
| eval IsLOLBin = if(matches(toLowerCase(process_name), "(rundll32|regsvr32|certutil|bitsadmin|msbuild|csc|installutil|regasm|regsvcs|ieexec|expand|extrac32|makecab|pcalua|hh|xwizard)\\.exe"), 1, 0)
| eval IsUnusualSystem = if(matches(toLowerCase(process_name), "(notepad|calc|mspaint|wordpad|write|winver|charmap|snippingtool)\\.exe"), 1, 0)
| where IsScriptInterpreter = 1 or IsLOLBin = 1 or IsUnusualSystem = 1
| eval SuspicionLabel = if(IsScriptInterpreter=1, "ScriptInterpreter",
if(IsLOLBin=1, "LOLBin",
if(IsUnusualSystem=1, "UnusualSystemProcess", "Unknown")))
| eval IsInternal = if(matches(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[0-1])\\.|192\\.168\\.)"), "true", "false")
| fields _messageTime, Computer, User, process_name, CommandLine, ParentImage, DestinationIp, DestinationPort, IsInternal, SuspicionLabel
| sort by _messageTime descDetects Windows script interpreters, LOLBins, and unusual GUI applications making outbound network connections over commonly used service ports (HTTP, HTTPS, DNS, SMTP, SSH, RDP, RPC). Such connections are highly anomalous and indicative of malware using port-blending techniques to evade detection by masquerading as legitimate web or service traffic.
Data Sources
Required Tables
False Positives & Tuning
- Automated backup or sync tools that spawn cmd.exe sub-processes to transfer data over HTTPS (port 443) to cloud storage endpoints
- Penetration testing or red team exercises where LOLBins are deliberately used to simulate adversary techniques in authorized assessments
- Legacy internal applications built as VBScript or WSH wrappers that legitimately communicate with internal web services or DNS over standard ports
Other platforms for T1043
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell C2 Simulation over HTTPS Port 443
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the TcpClient command in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image=powershell.exe. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe, RemotePort=443, RemoteIPType=Public.
- Test 2certutil.exe HTTP Download over Port 80
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with -urlcache and -f in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:80 with Image containing certutil.exe. Sysmon Event ID 11: File Create for the output file in %TEMP%. Security Event ID 4688 if process creation auditing enabled.
- Test 3DNS Tunneling Simulation via nslookup Long Labels
Expected signal: Sysmon Event ID 3: 10 Network Connection events to 8.8.8.8:53 with Image=nslookup.exe. The high-entropy subdomain labels are visible in DNS query logs if DNS logging is enabled. Windows DNS Client Event ID 3020 in Microsoft-Windows-DNS-Client/Operational for each resolution attempt.
- Test 4bitsadmin.exe HTTPS Download over Port 443
Expected signal: Sysmon Event ID 1: Process Create for bitsadmin.exe with /transfer and /download in CommandLine. Sysmon Event ID 3: Network Connection to 93.184.216.34:443 with Image containing bitsadmin.exe. Sysmon Event ID 11: File create event for output file on success. Security Event ID 4688 with command line if process creation auditing enabled.
References (9)
- https://attack.mitre.org/techniques/T1043/
- https://attack.mitre.org/techniques/T1571/
- https://attack.mitre.org/techniques/T1071/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1043/T1043.md
- https://www.sans.org/reading-room/whitepapers/detection/detecting-dns-tunneling-34152
- https://lolbas-project.github.io/
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1043 including response playbook, investigation guide, and atomic red team tests.