T1571 Elastic Security · Elastic

Detect Non-Standard Port in Elastic Security

This detection identifies adversary command and control (C2) activity using protocols on non-standard ports, a technique used to bypass network filtering rules and evade traffic analysis. Attackers may use HTTPS over ports like 8088, 2083, 2087, or 587, HTTP over 8080 or 8008, or arbitrary high ports like 4444, 1337, or 9001 to blend in with legitimate traffic or avoid port-based firewall rules. The detection correlates outbound connections to non-standard ports with high-risk processes (scripting interpreters, LOLBins, spawned shells) and flags known malicious port patterns observed in threat actor infrastructure including WIRTE, PingPull, and Contagious Interview campaigns. Both KQL and SPL queries score events by combining process risk and port suspicion to surface the highest-confidence alerts while suppressing common developer and admin tooling noise.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1571 Non-Standard Port
Canonical reference
https://attack.mitre.org/techniques/T1571/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name, process.name with maxspan=5m
  [network where event.action == "connection_attempted" and
   network.direction == "egress" and
   destination.ip != null and
   not cidr_match(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8") and
   (
     destination.port in (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337) or
     (
       process.name like~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "svchost.exe") and
       not destination.port in (80, 443, 8080, 8443, 53, 25, 3000, 5000, 9000) and
       destination.port > 1024
     )
   )
  ]
high severity high confidence

Detects outbound network connections to non-standard ports commonly used for C2 communications. Correlates high-risk processes (scripting interpreters, LOLBins) with suspicious port usage and scores events based on the combination of process risk and port suspicion. Covers known threat actor port patterns from WIRTE, PingPull, and Contagious Interview campaigns.

Data Sources

Elastic Endpoint SecurityElastic Agent (network events)Packetbeat

Required Tables

logs-endpoint.events.network-*logs-network_traffic.*

False Positives & Tuning

  • Developer tools such as Node.js, Python HTTP servers, or local development proxies legitimately use ports like 3000, 8088, or 9001 — validate process context and destination IP reputation
  • Email clients or MTA software connecting to port 587 for SMTP submission is a standard operation — filter by process name (e.g., outlook.exe, thunderbird.exe) and verify the destination is a known mail provider
  • Security scanning tools and network utilities (nmap, curl, wget) used by administrators may probe non-standard ports during authorized assessments — cross-reference with change management records
  • VPN or tunneling software may use non-standard ports for encapsulation — validate against known VPN infrastructure and authorized software inventory
Download portable Sigma rule (.yml)

Other platforms for T1571

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Netcat C2 Listener on Non-Standard Port (Windows)

    Expected signal: Sysmon Event ID 3: DestinationPort=4444, Image=powershell.exe, Initiated=true. DeviceNetworkEvents: RemotePort=4444, InitiatingProcessFileName=powershell.exe.

  2. Test 2HTTPS Beacon Simulation Over Port 8088 (Linux/macOS)

    Expected signal: Sysmon/auditd network events: DestinationPort=8088, process=curl or python3. Linux netstat/ss shows ESTABLISHED connections on port 8088.

  3. Test 3RDP Port Change via Registry (Windows)

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject contains 'RDP-Tcp\PortNumber', Details=33890. DeviceRegistryEvents: RegistryKey contains 'RDP-Tcp', RegistryValueName=PortNumber, RegistryValueData=33890.

  4. Test 4Beaconing Simulation at Regular Intervals on Non-Standard Port

    Expected signal: Sysmon Event ID 3: 10 network connection events, DestinationPort=9001, Image=powershell.exe, at ~60-second intervals. DeviceNetworkEvents shows RegularInterval connections to port 9001.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1571 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1573Encrypted ChannelT1219Remote Access ToolsT1205Traffic SignalingT1568Dynamic ResolutionT1090Proxy

Same Tactic: Command and Control

Popular Detections