T1571 Google Chronicle · YARA-L

Detect Non-Standard Port in Google Chronicle

This detection identifies adversary command and control (C2) activity using protocols on non-standard ports, a technique used to bypass network filtering rules and evade traffic analysis. Attackers may use HTTPS over ports like 8088, 2083, 2087, or 587, HTTP over 8080 or 8008, or arbitrary high ports like 4444, 1337, or 9001 to blend in with legitimate traffic or avoid port-based firewall rules. The detection correlates outbound connections to non-standard ports with high-risk processes (scripting interpreters, LOLBins, spawned shells) and flags known malicious port patterns observed in threat actor infrastructure including WIRTE, PingPull, and Contagious Interview campaigns. Both KQL and SPL queries score events by combining process risk and port suspicion to surface the highest-confidence alerts while suppressing common developer and admin tooling noise.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1571 Non-Standard Port
Canonical reference
https://attack.mitre.org/techniques/T1571/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1571_non_standard_port_c2 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects C2 activity over non-standard ports, correlating high-risk process initiators with known threat actor port patterns (WIRTE, PingPull, Contagious Interview). Scores events by process risk and port suspicion."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1571"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.principal.process.file.full_path != ""
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
    (
      $e.target.port = 444 or
      $e.target.port = 587 or
      $e.target.port = 1224 or
      $e.target.port = 1337 or
      $e.target.port = 2083 or
      $e.target.port = 2087 or
      $e.target.port = 4443 or
      $e.target.port = 4444 or
      $e.target.port = 4445 or
      $e.target.port = 6666 or
      $e.target.port = 6667 or
      $e.target.port = 6668 or
      $e.target.port = 7777 or
      $e.target.port = 8008 or
      $e.target.port = 8088 or
      $e.target.port = 8888 or
      $e.target.port = 9001 or
      $e.target.port = 9090 or
      $e.target.port = 31337 or
      re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|svchost\.exe)$`)
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(
        re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|svchost\.exe)$`) and
        (
          $e.target.port = 444 or $e.target.port = 587 or $e.target.port = 1224 or
          $e.target.port = 1337 or $e.target.port = 2083 or $e.target.port = 2087 or
          $e.target.port = 4443 or $e.target.port = 4444 or $e.target.port = 4445 or
          $e.target.port = 6666 or $e.target.port = 6667 or $e.target.port = 6668 or
          $e.target.port = 7777 or $e.target.port = 8008 or $e.target.port = 8088 or
          $e.target.port = 8888 or $e.target.port = 9001 or $e.target.port = 9090 or
          $e.target.port = 31337
        ), 3,
        if(
          re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|svchost\.exe)$`) and
          $e.target.port > 1024, 2, 1
        )
      )
    )
    $hostname = $e.principal.hostname
    $process = $e.principal.process.file.full_path
    $user = $e.principal.user.userid
    $parent_process = $e.principal.process.parent_process.file.full_path
    $dest_ip = $e.target.ip
    $dest_port = $e.target.port
    $event_count = count_distinct($e.target.ip)

  condition:
    $e and $risk_score >= 1
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting outbound connections to known C2 ports or high-risk processes connecting to non-standard ports on public IPs. Groups events by host over a 5-minute window and computes a risk score (1-3) based on the combination of process type and destination port. Surfaces WIRTE, PingPull, and Contagious Interview campaign port patterns.

Data Sources

Google Chronicle (UDM ingestion)Endpoint telemetry via Chronicle forwarderWindows Event Logs (Sysmon)EDR network telemetry

Required Tables

UDM events with metadata.event_type = NETWORK_CONNECTION

False Positives & Tuning

  • Legitimate cloud-based SaaS applications may communicate over port 8088 or 8888 for API traffic — validate destination domain against threat intelligence and known SaaS provider IP ranges before alerting
  • PowerShell-based configuration management tools (DSC, Ansible WinRM) may use elevated ports for management channels — correlate with authorized configuration management schedule and source host role
  • certutil.exe used for authorized PKI operations or OCSP/CRL checking may occasionally reach non-standard ports depending on enterprise CA configuration — validate against PKI infrastructure IP list
Download portable Sigma rule (.yml)

Other platforms for T1571

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Netcat C2 Listener on Non-Standard Port (Windows)

    Expected signal: Sysmon Event ID 3: DestinationPort=4444, Image=powershell.exe, Initiated=true. DeviceNetworkEvents: RemotePort=4444, InitiatingProcessFileName=powershell.exe.

  2. Test 2HTTPS Beacon Simulation Over Port 8088 (Linux/macOS)

    Expected signal: Sysmon/auditd network events: DestinationPort=8088, process=curl or python3. Linux netstat/ss shows ESTABLISHED connections on port 8088.

  3. Test 3RDP Port Change via Registry (Windows)

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject contains 'RDP-Tcp\PortNumber', Details=33890. DeviceRegistryEvents: RegistryKey contains 'RDP-Tcp', RegistryValueName=PortNumber, RegistryValueData=33890.

  4. Test 4Beaconing Simulation at Regular Intervals on Non-Standard Port

    Expected signal: Sysmon Event ID 3: 10 network connection events, DestinationPort=9001, Image=powershell.exe, at ~60-second intervals. DeviceNetworkEvents shows RegularInterval connections to port 9001.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1571 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1573Encrypted ChannelT1219Remote Access ToolsT1205Traffic SignalingT1568Dynamic ResolutionT1090Proxy

Same Tactic: Command and Control

Popular Detections