T1571 IBM QRadar · QRadar

Detect Non-Standard Port in IBM QRadar

This detection identifies adversary command and control (C2) activity using protocols on non-standard ports, a technique used to bypass network filtering rules and evade traffic analysis. Attackers may use HTTPS over ports like 8088, 2083, 2087, or 587, HTTP over 8080 or 8008, or arbitrary high ports like 4444, 1337, or 9001 to blend in with legitimate traffic or avoid port-based firewall rules. The detection correlates outbound connections to non-standard ports with high-risk processes (scripting interpreters, LOLBins, spawned shells) and flags known malicious port patterns observed in threat actor infrastructure including WIRTE, PingPull, and Contagious Interview campaigns. Both KQL and SPL queries score events by combining process risk and port suspicion to surface the highest-confidence alerts while suppressing common developer and admin tooling noise.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1571 Non-Standard Port
Canonical reference
https://attack.mitre.org/techniques/T1571/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "ProcessPath" AS process_name,
  "ParentProcessPath" AS parent_process,
  CATEGORYNAME(category) AS event_category,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  CASE
    WHEN LOWER("ProcessPath") LIKE '%cmd.exe' OR LOWER("ProcessPath") LIKE '%powershell.exe'
      OR LOWER("ProcessPath") LIKE '%pwsh.exe' OR LOWER("ProcessPath") LIKE '%wscript.exe'
      OR LOWER("ProcessPath") LIKE '%cscript.exe' OR LOWER("ProcessPath") LIKE '%mshta.exe'
      OR LOWER("ProcessPath") LIKE '%rundll32.exe' OR LOWER("ProcessPath") LIKE '%regsvr32.exe'
      OR LOWER("ProcessPath") LIKE '%certutil.exe' OR LOWER("ProcessPath") LIKE '%bitsadmin.exe'
      OR LOWER("ProcessPath") LIKE '%msiexec.exe'
    THEN 1 ELSE 0
  END AS is_high_risk_process,
  CASE
    WHEN destinationport IN (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337)
    THEN 1 ELSE 0
  END AS is_known_c2_port,
  CASE
    WHEN (
      (LOWER("ProcessPath") LIKE '%cmd.exe' OR LOWER("ProcessPath") LIKE '%powershell.exe'
        OR LOWER("ProcessPath") LIKE '%pwsh.exe' OR LOWER("ProcessPath") LIKE '%wscript.exe'
        OR LOWER("ProcessPath") LIKE '%cscript.exe' OR LOWER("ProcessPath") LIKE '%mshta.exe'
        OR LOWER("ProcessPath") LIKE '%rundll32.exe' OR LOWER("ProcessPath") LIKE '%regsvr32.exe'
        OR LOWER("ProcessPath") LIKE '%certutil.exe' OR LOWER("ProcessPath") LIKE '%bitsadmin.exe'
        OR LOWER("ProcessPath") LIKE '%msiexec.exe')
      AND destinationport IN (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337)
    ) THEN 3
    WHEN (
      (LOWER("ProcessPath") LIKE '%cmd.exe' OR LOWER("ProcessPath") LIKE '%powershell.exe'
        OR LOWER("ProcessPath") LIKE '%pwsh.exe' OR LOWER("ProcessPath") LIKE '%wscript.exe'
        OR LOWER("ProcessPath") LIKE '%cscript.exe' OR LOWER("ProcessPath") LIKE '%mshta.exe'
        OR LOWER("ProcessPath") LIKE '%rundll32.exe' OR LOWER("ProcessPath") LIKE '%regsvr32.exe'
        OR LOWER("ProcessPath") LIKE '%certutil.exe' OR LOWER("ProcessPath") LIKE '%bitsadmin.exe'
        OR LOWER("ProcessPath") LIKE '%msiexec.exe')
      AND destinationport NOT IN (80, 443, 8080, 8443, 53, 25, 3000, 5000, 9000)
      AND destinationport > 1024
    ) THEN 2
    WHEN destinationport IN (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337)
    THEN 1
    ELSE 0
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 65, 94, 352)
  AND devicetime > NOW() - 1 DAYS
  AND NOT (destinationip BETWEEN '10.0.0.0' AND '10.255.255.255'
    OR destinationip BETWEEN '172.16.0.0' AND '172.31.255.255'
    OR destinationip BETWEEN '192.168.0.0' AND '192.168.255.255')
  AND (
    destinationport IN (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337)
    OR (
      (LOWER("ProcessPath") LIKE '%cmd.exe' OR LOWER("ProcessPath") LIKE '%powershell.exe'
        OR LOWER("ProcessPath") LIKE '%wscript.exe' OR LOWER("ProcessPath") LIKE '%cscript.exe'
        OR LOWER("ProcessPath") LIKE '%mshta.exe' OR LOWER("ProcessPath") LIKE '%rundll32.exe'
        OR LOWER("ProcessPath") LIKE '%regsvr32.exe' OR LOWER("ProcessPath") LIKE '%certutil.exe'
        OR LOWER("ProcessPath") LIKE '%bitsadmin.exe' OR LOWER("ProcessPath") LIKE '%msiexec.exe')
      AND destinationport NOT IN (80, 443, 8080, 8443, 53, 25, 3000, 5000, 9000)
      AND destinationport > 1024
    )
  )
  AND risk_score >= 1
ORDER BY risk_score DESC, devicetime DESC
LIMIT 500
high severity medium confidence

QRadar AQL query detecting non-standard port C2 communications by correlating Sysmon network connection events with high-risk process names and suspicious port lists. Implements the same three-tier risk scoring model as the reference KQL/SPL queries, filtering public destination IPs and excluding standard web and admin ports.

Data Sources

IBM QRadar SIEMSysmon (via Windows log sources)Microsoft Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Managed security tools or EDR agents that communicate with cloud backends on non-standard ports (e.g., port 8088 for telemetry) may trigger alerts — build exclusions for known agent process names and vendor IP ranges
  • Legitimate administrative scripts using certutil.exe for certificate operations or bitsadmin.exe for authorized downloads may connect to infrastructure on non-standard ports — validate with change management and asset inventory
  • Custom enterprise applications built on scripting runtimes (Python, PowerShell DSC) that reach internal or partner APIs on non-standard ports — baseline and suppress known-good source/destination combinations
Download portable Sigma rule (.yml)

Other platforms for T1571

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Netcat C2 Listener on Non-Standard Port (Windows)

    Expected signal: Sysmon Event ID 3: DestinationPort=4444, Image=powershell.exe, Initiated=true. DeviceNetworkEvents: RemotePort=4444, InitiatingProcessFileName=powershell.exe.

  2. Test 2HTTPS Beacon Simulation Over Port 8088 (Linux/macOS)

    Expected signal: Sysmon/auditd network events: DestinationPort=8088, process=curl or python3. Linux netstat/ss shows ESTABLISHED connections on port 8088.

  3. Test 3RDP Port Change via Registry (Windows)

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject contains 'RDP-Tcp\PortNumber', Details=33890. DeviceRegistryEvents: RegistryKey contains 'RDP-Tcp', RegistryValueName=PortNumber, RegistryValueData=33890.

  4. Test 4Beaconing Simulation at Regular Intervals on Non-Standard Port

    Expected signal: Sysmon Event ID 3: 10 network connection events, DestinationPort=9001, Image=powershell.exe, at ~60-second intervals. DeviceNetworkEvents shows RegularInterval connections to port 9001.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1571 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1573Encrypted ChannelT1219Remote Access ToolsT1205Traffic SignalingT1568Dynamic ResolutionT1090Proxy

Same Tactic: Command and Control

Popular Detections