T1571

Non-Standard Port

This detection identifies adversary command and control (C2) activity using protocols on non-standard ports, a technique used to bypass network filtering rules and evade traffic analysis. Attackers may use HTTPS over ports like 8088, 2083, 2087, or 587, HTTP over 8080 or 8008, or arbitrary high ports like 4444, 1337, or 9001 to blend in with legitimate traffic or avoid port-based firewall rules. The detection correlates outbound connections to non-standard ports with high-risk processes (scripting interpreters, LOLBins, spawned shells) and flags known malicious port patterns observed in threat actor infrastructure including WIRTE, PingPull, and Contagious Interview campaigns. Both KQL and SPL queries score events by combining process risk and port suspicion to surface the highest-confidence alerts while suppressing common developer and admin tooling noise.

Microsoft Sentinel / Defender

kusto

let SuspiciousNonStandardPorts = dynamic([444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337]);
let HighRiskProcesses = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "svchost.exe"]);
let StandardWebPorts = dynamic([80, 443, 8080, 8443, 3000, 5000, 5001, 9000]);
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| extend ProcessLower = tolower(InitiatingProcessFileName)
| extend IsHighRiskProcess = ProcessLower in~ (HighRiskProcesses)
| extend IsKnownC2Port = RemotePort in (SuspiciousNonStandardPorts)
| extend IsNonStandardFromHighRisk = IsHighRiskProcess and RemotePort !in (StandardWebPorts) and RemotePort != 53 and RemotePort != 25
| where IsKnownC2Port or IsNonStandardFromHighRisk
| extend RiskScore = case(
    IsHighRiskProcess and IsKnownC2Port, 3,
    IsHighRiskProcess and IsNonStandardFromHighRisk, 2,
    IsKnownC2Port, 1,
    0
)
| summarize
    TotalConnections = count(),
    UniqueRemoteIPs = dcount(RemoteIP),
    PortsUsed = make_set(RemotePort, 20),
    RemoteIPs = make_set(RemoteIP, 10),
    MaxRiskScore = max(RiskScore),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessParentFileName
| where MaxRiskScore >= 1
| extend AlertSeverity = case(
    MaxRiskScore >= 3, "High",
    MaxRiskScore == 2, "Medium",
    "Low"
)
| project-reorder DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessParentFileName, PortsUsed, UniqueRemoteIPs, TotalConnections, MaxRiskScore, AlertSeverity, FirstSeen, LastSeen
| order by MaxRiskScore desc, TotalConnections desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Developer tooling and local services running on non-standard ports (e.g., Node.js apps on 3001, Python Flask on 5000, webpack dev server on 8088)
Legitimate email relay over port 587 (SMTP STARTTLS) from mail client processes like outlook.exe or thunderbird.exe
cPanel/WHM web hosting control panel using ports 2083 and 2087 for legitimate SSL management
Security scanning tools (Nmap, Nessus, Metasploit listener) run by authorized red team or pentesters
VPN and proxy clients that tunnel legitimate traffic over non-standard ports

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval dest_port=tonumber(DestinationPort)
| eval Initiated=coalesce(Initiated, "true")
| where Initiated="true"
| eval is_known_c2_port=if(dest_port IN (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337), 1, 0)
| eval is_high_risk_process=if(match(lower(Image), "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe)"), 1, 0)
| eval is_standard_port=if(dest_port IN (80, 443, 8080, 8443, 53, 25, 3000, 5000, 9000), 1, 0)
| eval is_non_standard_from_high_risk=if(is_high_risk_process=1 AND is_standard_port=0 AND dest_port > 1024, 1, 0)
| where is_known_c2_port=1 OR is_non_standard_from_high_risk=1
| eval risk_score=case(
    is_high_risk_process=1 AND is_known_c2_port=1, 3,
    is_high_risk_process=1 AND is_non_standard_from_high_risk=1, 2,
    is_known_c2_port=1, 1,
    true(), 0)
| eval alert_severity=case(risk_score>=3, "High", risk_score=2, "Medium", true(), "Low")
| stats count as connection_count,
    values(DestinationIp) as remote_ips,
    values(DestinationPort) as ports_used,
    max(risk_score) as max_risk_score,
    min(_time) as first_seen,
    max(_time) as last_seen,
    values(alert_severity) as severity
    by host, Image, User, ParentImage
| where max_risk_score >= 1
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort -max_risk_score, -connection_count
| table host, Image, User, ParentImage, ports_used, remote_ips, connection_count, max_risk_score, severity, first_seen, last_seen

high severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate web applications or microservices on developer machines using high ports (e.g., 8088, 8888) for local dev servers
Authorized penetration testing tools generating C2-like traffic on known test ports (4444, 1337)
cPanel/WHM hosting management legitimately using ports 2083/2087 for SSL-secured web hosting control

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "ProcessPath" AS process_name,
  "ParentProcessPath" AS parent_process,
  CATEGORYNAME(category) AS event_category,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  CASE
    WHEN LOWER("ProcessPath") LIKE '%cmd.exe' OR LOWER("ProcessPath") LIKE '%powershell.exe'
      OR LOWER("ProcessPath") LIKE '%pwsh.exe' OR LOWER("ProcessPath") LIKE '%wscript.exe'
      OR LOWER("ProcessPath") LIKE '%cscript.exe' OR LOWER("ProcessPath") LIKE '%mshta.exe'
      OR LOWER("ProcessPath") LIKE '%rundll32.exe' OR LOWER("ProcessPath") LIKE '%regsvr32.exe'
      OR LOWER("ProcessPath") LIKE '%certutil.exe' OR LOWER("ProcessPath") LIKE '%bitsadmin.exe'
      OR LOWER("ProcessPath") LIKE '%msiexec.exe'
    THEN 1 ELSE 0
  END AS is_high_risk_process,
  CASE
    WHEN destinationport IN (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337)
    THEN 1 ELSE 0
  END AS is_known_c2_port,
  CASE
    WHEN (
      (LOWER("ProcessPath") LIKE '%cmd.exe' OR LOWER("ProcessPath") LIKE '%powershell.exe'
        OR LOWER("ProcessPath") LIKE '%pwsh.exe' OR LOWER("ProcessPath") LIKE '%wscript.exe'
        OR LOWER("ProcessPath") LIKE '%cscript.exe' OR LOWER("ProcessPath") LIKE '%mshta.exe'
        OR LOWER("ProcessPath") LIKE '%rundll32.exe' OR LOWER("ProcessPath") LIKE '%regsvr32.exe'
        OR LOWER("ProcessPath") LIKE '%certutil.exe' OR LOWER("ProcessPath") LIKE '%bitsadmin.exe'
        OR LOWER("ProcessPath") LIKE '%msiexec.exe')
      AND destinationport IN (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337)
    ) THEN 3
    WHEN (
      (LOWER("ProcessPath") LIKE '%cmd.exe' OR LOWER("ProcessPath") LIKE '%powershell.exe'
        OR LOWER("ProcessPath") LIKE '%pwsh.exe' OR LOWER("ProcessPath") LIKE '%wscript.exe'
        OR LOWER("ProcessPath") LIKE '%cscript.exe' OR LOWER("ProcessPath") LIKE '%mshta.exe'
        OR LOWER("ProcessPath") LIKE '%rundll32.exe' OR LOWER("ProcessPath") LIKE '%regsvr32.exe'
        OR LOWER("ProcessPath") LIKE '%certutil.exe' OR LOWER("ProcessPath") LIKE '%bitsadmin.exe'
        OR LOWER("ProcessPath") LIKE '%msiexec.exe')
      AND destinationport NOT IN (80, 443, 8080, 8443, 53, 25, 3000, 5000, 9000)
      AND destinationport > 1024
    ) THEN 2
    WHEN destinationport IN (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337)
    THEN 1
    ELSE 0
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 65, 94, 352)
  AND devicetime > NOW() - 1 DAYS
  AND NOT (destinationip BETWEEN '10.0.0.0' AND '10.255.255.255'
    OR destinationip BETWEEN '172.16.0.0' AND '172.31.255.255'
    OR destinationip BETWEEN '192.168.0.0' AND '192.168.255.255')
  AND (
    destinationport IN (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337)
    OR (
      (LOWER("ProcessPath") LIKE '%cmd.exe' OR LOWER("ProcessPath") LIKE '%powershell.exe'
        OR LOWER("ProcessPath") LIKE '%wscript.exe' OR LOWER("ProcessPath") LIKE '%cscript.exe'
        OR LOWER("ProcessPath") LIKE '%mshta.exe' OR LOWER("ProcessPath") LIKE '%rundll32.exe'
        OR LOWER("ProcessPath") LIKE '%regsvr32.exe' OR LOWER("ProcessPath") LIKE '%certutil.exe'
        OR LOWER("ProcessPath") LIKE '%bitsadmin.exe' OR LOWER("ProcessPath") LIKE '%msiexec.exe')
      AND destinationport NOT IN (80, 443, 8080, 8443, 53, 25, 3000, 5000, 9000)
      AND destinationport > 1024
    )
  )
  AND risk_score >= 1
ORDER BY risk_score DESC, devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon (via Windows log sources) Microsoft Windows Security Event Log

Required Tables

events

False Positives

Managed security tools or EDR agents that communicate with cloud backends on non-standard ports (e.g., port 8088 for telemetry) may trigger alerts — build exclusions for known agent process names and vendor IP ranges
Legitimate administrative scripts using certutil.exe for certificate operations or bitsadmin.exe for authorized downloads may connect to infrastructure on non-standard ports — validate with change management and asset inventory
Custom enterprise applications built on scripting runtimes (Python, PowerShell DSC) that reach internal or partner APIs on non-standard ports — baseline and suppress known-good source/destination combinations

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*
| where EventID = "3"
| parse field=Message "Image: *" as process_image nodrop
| parse field=Message "DestinationIp: *" as dest_ip nodrop
| parse field=Message "DestinationPort: *" as dest_port_str nodrop
| parse field=Message "User: *" as username nodrop
| parse field=Message "ParentImage: *" as parent_image nodrop
| parse field=Message "Initiated: *" as initiated nodrop
| where initiated = "true"
| num(dest_port_str) as dest_port
| where !(dest_ip matches /^10\./ or dest_ip matches /^172\.(1[6-9]|2[0-9]|3[01])\./ or dest_ip matches /^192\.168\./)
| eval is_known_c2_port = if(dest_port in (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337), 1, 0)
| eval process_lower = toLowerCase(process_image)
| eval is_high_risk = if(process_lower matches /.*(\/|\\)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|svchost\.exe)$/, 1, 0)
| eval is_standard_port = if(dest_port in (80, 443, 8080, 8443, 53, 25, 3000, 5000, 9000), 1, 0)
| eval is_non_std_high_risk = if(is_high_risk = 1 and is_standard_port = 0 and dest_port > 1024, 1, 0)
| where is_known_c2_port = 1 or is_non_std_high_risk = 1
| eval risk_score = if(is_high_risk = 1 and is_known_c2_port = 1, 3, if(is_high_risk = 1 and is_non_std_high_risk = 1, 2, if(is_known_c2_port = 1, 1, 0)))
| eval severity = if(risk_score >= 3, "High", if(risk_score = 2, "Medium", "Low"))
| stats count as connection_count, values(dest_ip) as remote_ips, values(dest_port) as ports_used, max(risk_score) as max_risk_score, min(_messageTime) as first_seen, max(_messageTime) as last_seen, values(severity) as alert_severity by _sourceHost, process_image, username, parent_image
| where max_risk_score >= 1
| tourl(_sourceHost, "https://sumologic.com") as host_link
| sort by max_risk_score desc, connection_count desc
| fields _sourceHost, process_image, username, parent_image, ports_used, remote_ips, connection_count, max_risk_score, alert_severity, first_seen, last_seen

high severity high confidence

Data Sources

Sumo Logic (Sysmon via Windows agent) Sumo Logic Cloud SIEM Enterprise

Required Tables

Sysmon EventID 3 (Network Connect) via Sumo Logic installed collector

False Positives

Package managers and update clients (chocolatey, winget, Windows Update agents invoked via msiexec.exe) may connect to CDN endpoints on non-standard ports — validate destination hostname and correlate with patch maintenance windows
Development environments with PowerShell-based test harnesses that reach local or staging APIs on high ports will generate false positives — exclude known developer workstation subnet ranges and suppress by machine OU
SOC tooling such as Velociraptor, OSQuery, or endpoint agents initiated by svchost.exe may communicate on non-standard ports — verify against known security tool inventory and whitelist by destination IP

Google Chronicle / SecOps

yaral

rule t1571_non_standard_port_c2 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects C2 activity over non-standard ports, correlating high-risk process initiators with known threat actor port patterns (WIRTE, PingPull, Contagious Interview). Scores events by process risk and port suspicion."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1571"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.principal.process.file.full_path != ""
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
    (
      $e.target.port = 444 or
      $e.target.port = 587 or
      $e.target.port = 1224 or
      $e.target.port = 1337 or
      $e.target.port = 2083 or
      $e.target.port = 2087 or
      $e.target.port = 4443 or
      $e.target.port = 4444 or
      $e.target.port = 4445 or
      $e.target.port = 6666 or
      $e.target.port = 6667 or
      $e.target.port = 6668 or
      $e.target.port = 7777 or
      $e.target.port = 8008 or
      $e.target.port = 8088 or
      $e.target.port = 8888 or
      $e.target.port = 9001 or
      $e.target.port = 9090 or
      $e.target.port = 31337 or
      re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|svchost\.exe)$`)
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(
        re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|svchost\.exe)$`) and
        (
          $e.target.port = 444 or $e.target.port = 587 or $e.target.port = 1224 or
          $e.target.port = 1337 or $e.target.port = 2083 or $e.target.port = 2087 or
          $e.target.port = 4443 or $e.target.port = 4444 or $e.target.port = 4445 or
          $e.target.port = 6666 or $e.target.port = 6667 or $e.target.port = 6668 or
          $e.target.port = 7777 or $e.target.port = 8008 or $e.target.port = 8088 or
          $e.target.port = 8888 or $e.target.port = 9001 or $e.target.port = 9090 or
          $e.target.port = 31337
        ), 3,
        if(
          re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|svchost\.exe)$`) and
          $e.target.port > 1024, 2, 1
        )
      )
    )
    $hostname = $e.principal.hostname
    $process = $e.principal.process.file.full_path
    $user = $e.principal.user.userid
    $parent_process = $e.principal.process.parent_process.file.full_path
    $dest_ip = $e.target.ip
    $dest_port = $e.target.port
    $event_count = count_distinct($e.target.ip)

  condition:
    $e and $risk_score >= 1
}

high severity high confidence

Data Sources

Google Chronicle (UDM ingestion) Endpoint telemetry via Chronicle forwarder Windows Event Logs (Sysmon) EDR network telemetry

Required Tables

UDM events with metadata.event_type = NETWORK_CONNECTION

False Positives

Legitimate cloud-based SaaS applications may communicate over port 8088 or 8888 for API traffic — validate destination domain against threat intelligence and known SaaS provider IP ranges before alerting
PowerShell-based configuration management tools (DSC, Ansible WinRM) may use elevated ports for management channels — correlate with authorized configuration management schedule and source host role
certutil.exe used for authorized PKI operations or OCSP/CRL checking may occasionally reach non-standard ports depending on enterprise CA configuration — validate against PKI infrastructure IP list

CrowdStrike LogScale (CQL)

cql

// T1571 — Non-Standard Port C2 Detection
// Detect outbound connections to known C2 ports or high-risk processes on non-standard ports

#event_simpleName = NetworkConnectIP4
| DestinationPort = *
| LocalAddressIP4 != "127.0.0.1"
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
| RPort := DestinationPort
| isKnownC2Port := if(
    RPort in [444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337],
    "true", "false"
  )
| isHighRiskProcess := if(
    lower(ImageFileName) = /.*[\\\/](cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|svchost\.exe)$/,
    "true", "false"
  )
| isStandardPort := if(
    RPort in [80, 443, 8080, 8443, 53, 25, 3000, 5000, 9000],
    "true", "false"
  )
| isNonStdHighRisk := if(
    isHighRiskProcess = "true" and isStandardPort = "false" and RPort > 1024,
    "true", "false"
  )
| RiskScore := if(
    isHighRiskProcess = "true" and isKnownC2Port = "true", 3,
    if(isHighRiskProcess = "true" and isNonStdHighRisk = "true", 2,
    if(isKnownC2Port = "true", 1, 0))
  )
| RiskScore > 0
| AlertSeverity := if(RiskScore >= 3, "High", if(RiskScore = 2, "Medium", "Low"))
| groupBy(
    [ComputerName, ImageFileName, UserName, ParentBaseFileName],
    function=[
      count(aid, as=ConnectionCount),
      collect(RemoteAddressIP4, max=10, as=RemoteIPs),
      collect(DestinationPort, max=20, as=PortsUsed),
      max(RiskScore, as=MaxRiskScore),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen),
      collect(AlertSeverity, max=1, as=Severity)
    ]
  )
| MaxRiskScore >= 1
| sort(MaxRiskScore, order=desc)
| sort(ConnectionCount, order=desc)
| select([ComputerName, ImageFileName, UserName, ParentBaseFileName, PortsUsed, RemoteIPs, ConnectionCount, MaxRiskScore, Severity, FirstSeen, LastSeen])

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (NetworkConnectIP4 events) CrowdStrike Falcon Platform

Required Tables

NetworkConnectIP4 (Falcon sensor network telemetry)

False Positives

Falcon sensor itself or third-party EDR components may initiate connections on non-standard ports for telemetry or sensor updates — exclude known sensor process names and CrowdStrike cloud IP ranges from detection scope
msiexec.exe spawned by software deployment tools (SCCM, Intune) may reach package distribution servers on non-standard ports during patch cycles — correlate with deployment windows using Falcon's scheduled activity context
svchost.exe hosting Windows Update or WMI services may occasionally connect to Microsoft CDN endpoints on ports like 8088 — validate destination against Microsoft published IP ranges and suppress known-good service host DLL combinations

Last updated: 2026-04-21 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1571 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Non-Standard Port

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Command and Control

Popular Detections