Detect Non-Standard Port in CrowdStrike LogScale
This detection identifies adversary command and control (C2) activity using protocols on non-standard ports, a technique used to bypass network filtering rules and evade traffic analysis. Attackers may use HTTPS over ports like 8088, 2083, 2087, or 587, HTTP over 8080 or 8008, or arbitrary high ports like 4444, 1337, or 9001 to blend in with legitimate traffic or avoid port-based firewall rules. The detection correlates outbound connections to non-standard ports with high-risk processes (scripting interpreters, LOLBins, spawned shells) and flags known malicious port patterns observed in threat actor infrastructure including WIRTE, PingPull, and Contagious Interview campaigns. Both KQL and SPL queries score events by combining process risk and port suspicion to surface the highest-confidence alerts while suppressing common developer and admin tooling noise.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1571 Non-Standard Port
- Canonical reference
- https://attack.mitre.org/techniques/T1571/
LogScale Detection Query
// T1571 — Non-Standard Port C2 Detection
// Detect outbound connections to known C2 ports or high-risk processes on non-standard ports
#event_simpleName = NetworkConnectIP4
| DestinationPort = *
| LocalAddressIP4 != "127.0.0.1"
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
| RPort := DestinationPort
| isKnownC2Port := if(
RPort in [444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337],
"true", "false"
)
| isHighRiskProcess := if(
lower(ImageFileName) = /.*[\\\/](cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|svchost\.exe)$/,
"true", "false"
)
| isStandardPort := if(
RPort in [80, 443, 8080, 8443, 53, 25, 3000, 5000, 9000],
"true", "false"
)
| isNonStdHighRisk := if(
isHighRiskProcess = "true" and isStandardPort = "false" and RPort > 1024,
"true", "false"
)
| RiskScore := if(
isHighRiskProcess = "true" and isKnownC2Port = "true", 3,
if(isHighRiskProcess = "true" and isNonStdHighRisk = "true", 2,
if(isKnownC2Port = "true", 1, 0))
)
| RiskScore > 0
| AlertSeverity := if(RiskScore >= 3, "High", if(RiskScore = 2, "Medium", "Low"))
| groupBy(
[ComputerName, ImageFileName, UserName, ParentBaseFileName],
function=[
count(aid, as=ConnectionCount),
collect(RemoteAddressIP4, max=10, as=RemoteIPs),
collect(DestinationPort, max=20, as=PortsUsed),
max(RiskScore, as=MaxRiskScore),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen),
collect(AlertSeverity, max=1, as=Severity)
]
)
| MaxRiskScore >= 1
| sort(MaxRiskScore, order=desc)
| sort(ConnectionCount, order=desc)
| select([ComputerName, ImageFileName, UserName, ParentBaseFileName, PortsUsed, RemoteIPs, ConnectionCount, MaxRiskScore, Severity, FirstSeen, LastSeen])CrowdStrike LogScale CQL query detecting non-standard port C2 activity using Falcon NetworkConnectIP4 telemetry. Identifies outbound connections from high-risk Windows processes (scripting interpreters, LOLBins) to known threat actor ports or any non-standard port, excluding RFC1918 destinations and standard web/admin ports. Implements three-tier risk scoring consistent with the reference KQL and SPL queries.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor itself or third-party EDR components may initiate connections on non-standard ports for telemetry or sensor updates — exclude known sensor process names and CrowdStrike cloud IP ranges from detection scope
- msiexec.exe spawned by software deployment tools (SCCM, Intune) may reach package distribution servers on non-standard ports during patch cycles — correlate with deployment windows using Falcon's scheduled activity context
- svchost.exe hosting Windows Update or WMI services may occasionally connect to Microsoft CDN endpoints on ports like 8088 — validate destination against Microsoft published IP ranges and suppress known-good service host DLL combinations
Other platforms for T1571
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Netcat C2 Listener on Non-Standard Port (Windows)
Expected signal: Sysmon Event ID 3: DestinationPort=4444, Image=powershell.exe, Initiated=true. DeviceNetworkEvents: RemotePort=4444, InitiatingProcessFileName=powershell.exe.
- Test 2HTTPS Beacon Simulation Over Port 8088 (Linux/macOS)
Expected signal: Sysmon/auditd network events: DestinationPort=8088, process=curl or python3. Linux netstat/ss shows ESTABLISHED connections on port 8088.
- Test 3RDP Port Change via Registry (Windows)
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject contains 'RDP-Tcp\PortNumber', Details=33890. DeviceRegistryEvents: RegistryKey contains 'RDP-Tcp', RegistryValueName=PortNumber, RegistryValueData=33890.
- Test 4Beaconing Simulation at Regular Intervals on Non-Standard Port
Expected signal: Sysmon Event ID 3: 10 network connection events, DestinationPort=9001, Image=powershell.exe, at ~60-second intervals. DeviceNetworkEvents shows RegularInterval connections to port 9001.
References (7)
- https://attack.mitre.org/techniques/T1571/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-apt33-espionage
- https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant
- https://securelist.com/wirte-group-attacking-the-middle-east/105635/
- https://unit42.paloaltonetworks.com/pingpull-gallium/
- https://www.group-ib.com/resources/threat-research/silence_moving-into-the-shadows.html
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bilbug-state-sponsored-espionage
Unlock Pro Content
Get the full detection package for T1571 including response playbook, investigation guide, and atomic red team tests.