Detect Non-Standard Port in Microsoft Sentinel
This detection identifies adversary command and control (C2) activity using protocols on non-standard ports, a technique used to bypass network filtering rules and evade traffic analysis. Attackers may use HTTPS over ports like 8088, 2083, 2087, or 587, HTTP over 8080 or 8008, or arbitrary high ports like 4444, 1337, or 9001 to blend in with legitimate traffic or avoid port-based firewall rules. The detection correlates outbound connections to non-standard ports with high-risk processes (scripting interpreters, LOLBins, spawned shells) and flags known malicious port patterns observed in threat actor infrastructure including WIRTE, PingPull, and Contagious Interview campaigns. Both KQL and SPL queries score events by combining process risk and port suspicion to surface the highest-confidence alerts while suppressing common developer and admin tooling noise.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1571 Non-Standard Port
- Canonical reference
- https://attack.mitre.org/techniques/T1571/
KQL Detection Query
let SuspiciousNonStandardPorts = dynamic([444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337]);
let HighRiskProcesses = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "svchost.exe"]);
let StandardWebPorts = dynamic([80, 443, 8080, 8443, 3000, 5000, 5001, 9000]);
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| extend ProcessLower = tolower(InitiatingProcessFileName)
| extend IsHighRiskProcess = ProcessLower in~ (HighRiskProcesses)
| extend IsKnownC2Port = RemotePort in (SuspiciousNonStandardPorts)
| extend IsNonStandardFromHighRisk = IsHighRiskProcess and RemotePort !in (StandardWebPorts) and RemotePort != 53 and RemotePort != 25
| where IsKnownC2Port or IsNonStandardFromHighRisk
| extend RiskScore = case(
IsHighRiskProcess and IsKnownC2Port, 3,
IsHighRiskProcess and IsNonStandardFromHighRisk, 2,
IsKnownC2Port, 1,
0
)
| summarize
TotalConnections = count(),
UniqueRemoteIPs = dcount(RemoteIP),
PortsUsed = make_set(RemotePort, 20),
RemoteIPs = make_set(RemoteIP, 10),
MaxRiskScore = max(RiskScore),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessParentFileName
| where MaxRiskScore >= 1
| extend AlertSeverity = case(
MaxRiskScore >= 3, "High",
MaxRiskScore == 2, "Medium",
"Low"
)
| project-reorder DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessParentFileName, PortsUsed, UniqueRemoteIPs, TotalConnections, MaxRiskScore, AlertSeverity, FirstSeen, LastSeen
| order by MaxRiskScore desc, TotalConnections descDetects outbound network connections from high-risk processes (cmd.exe, PowerShell, LOLBins) to non-standard ports, and flags connections to known malicious C2 port patterns (4444, 1337, 2083, 2087, 8088, etc.) observed in real-world threat actor campaigns. Risk scoring combines process risk and port suspicion to surface highest-confidence alerts first.
Data Sources
Required Tables
False Positives & Tuning
- Developer tooling and local services running on non-standard ports (e.g., Node.js apps on 3001, Python Flask on 5000, webpack dev server on 8088)
- Legitimate email relay over port 587 (SMTP STARTTLS) from mail client processes like outlook.exe or thunderbird.exe
- cPanel/WHM web hosting control panel using ports 2083 and 2087 for legitimate SSL management
- Security scanning tools (Nmap, Nessus, Metasploit listener) run by authorized red team or pentesters
- VPN and proxy clients that tunnel legitimate traffic over non-standard ports
Other platforms for T1571
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Netcat C2 Listener on Non-Standard Port (Windows)
Expected signal: Sysmon Event ID 3: DestinationPort=4444, Image=powershell.exe, Initiated=true. DeviceNetworkEvents: RemotePort=4444, InitiatingProcessFileName=powershell.exe.
- Test 2HTTPS Beacon Simulation Over Port 8088 (Linux/macOS)
Expected signal: Sysmon/auditd network events: DestinationPort=8088, process=curl or python3. Linux netstat/ss shows ESTABLISHED connections on port 8088.
- Test 3RDP Port Change via Registry (Windows)
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject contains 'RDP-Tcp\PortNumber', Details=33890. DeviceRegistryEvents: RegistryKey contains 'RDP-Tcp', RegistryValueName=PortNumber, RegistryValueData=33890.
- Test 4Beaconing Simulation at Regular Intervals on Non-Standard Port
Expected signal: Sysmon Event ID 3: 10 network connection events, DestinationPort=9001, Image=powershell.exe, at ~60-second intervals. DeviceNetworkEvents shows RegularInterval connections to port 9001.
References (7)
- https://attack.mitre.org/techniques/T1571/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-apt33-espionage
- https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant
- https://securelist.com/wirte-group-attacking-the-middle-east/105635/
- https://unit42.paloaltonetworks.com/pingpull-gallium/
- https://www.group-ib.com/resources/threat-research/silence_moving-into-the-shadows.html
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bilbug-state-sponsored-espionage
Unlock Pro Content
Get the full detection package for T1571 including response playbook, investigation guide, and atomic red team tests.