T1571 Splunk · SPL

Detect Non-Standard Port in Splunk

This detection identifies adversary command and control (C2) activity using protocols on non-standard ports, a technique used to bypass network filtering rules and evade traffic analysis. Attackers may use HTTPS over ports like 8088, 2083, 2087, or 587, HTTP over 8080 or 8008, or arbitrary high ports like 4444, 1337, or 9001 to blend in with legitimate traffic or avoid port-based firewall rules. The detection correlates outbound connections to non-standard ports with high-risk processes (scripting interpreters, LOLBins, spawned shells) and flags known malicious port patterns observed in threat actor infrastructure including WIRTE, PingPull, and Contagious Interview campaigns. Both KQL and SPL queries score events by combining process risk and port suspicion to surface the highest-confidence alerts while suppressing common developer and admin tooling noise.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1571 Non-Standard Port
Canonical reference
https://attack.mitre.org/techniques/T1571/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval dest_port=tonumber(DestinationPort)
| eval Initiated=coalesce(Initiated, "true")
| where Initiated="true"
| eval is_known_c2_port=if(dest_port IN (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337), 1, 0)
| eval is_high_risk_process=if(match(lower(Image), "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe)"), 1, 0)
| eval is_standard_port=if(dest_port IN (80, 443, 8080, 8443, 53, 25, 3000, 5000, 9000), 1, 0)
| eval is_non_standard_from_high_risk=if(is_high_risk_process=1 AND is_standard_port=0 AND dest_port > 1024, 1, 0)
| where is_known_c2_port=1 OR is_non_standard_from_high_risk=1
| eval risk_score=case(
    is_high_risk_process=1 AND is_known_c2_port=1, 3,
    is_high_risk_process=1 AND is_non_standard_from_high_risk=1, 2,
    is_known_c2_port=1, 1,
    true(), 0)
| eval alert_severity=case(risk_score>=3, "High", risk_score=2, "Medium", true(), "Low")
| stats count as connection_count,
    values(DestinationIp) as remote_ips,
    values(DestinationPort) as ports_used,
    max(risk_score) as max_risk_score,
    min(_time) as first_seen,
    max(_time) as last_seen,
    values(alert_severity) as severity
    by host, Image, User, ParentImage
| where max_risk_score >= 1
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort -max_risk_score, -connection_count
| table host, Image, User, ParentImage, ports_used, remote_ips, connection_count, max_risk_score, severity, first_seen, last_seen
high severity medium confidence

Uses Sysmon Event ID 3 (Network Connection) to identify outbound connections from known-risky process names to non-standard or known C2 ports. Risk scoring flags the highest-confidence events while capturing broad non-standard port usage from LOLBins and scripting interpreters.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate web applications or microservices on developer machines using high ports (e.g., 8088, 8888) for local dev servers
  • Authorized penetration testing tools generating C2-like traffic on known test ports (4444, 1337)
  • cPanel/WHM hosting management legitimately using ports 2083/2087 for SSL-secured web hosting control
Download portable Sigma rule (.yml)

Other platforms for T1571

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Netcat C2 Listener on Non-Standard Port (Windows)

    Expected signal: Sysmon Event ID 3: DestinationPort=4444, Image=powershell.exe, Initiated=true. DeviceNetworkEvents: RemotePort=4444, InitiatingProcessFileName=powershell.exe.

  2. Test 2HTTPS Beacon Simulation Over Port 8088 (Linux/macOS)

    Expected signal: Sysmon/auditd network events: DestinationPort=8088, process=curl or python3. Linux netstat/ss shows ESTABLISHED connections on port 8088.

  3. Test 3RDP Port Change via Registry (Windows)

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject contains 'RDP-Tcp\PortNumber', Details=33890. DeviceRegistryEvents: RegistryKey contains 'RDP-Tcp', RegistryValueName=PortNumber, RegistryValueData=33890.

  4. Test 4Beaconing Simulation at Regular Intervals on Non-Standard Port

    Expected signal: Sysmon Event ID 3: 10 network connection events, DestinationPort=9001, Image=powershell.exe, at ~60-second intervals. DeviceNetworkEvents shows RegularInterval connections to port 9001.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1571 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1573Encrypted ChannelT1219Remote Access ToolsT1205Traffic SignalingT1568Dynamic ResolutionT1090Proxy

Same Tactic: Command and Control

Popular Detections