Detect Non-Standard Port in Sumo Logic CSE
This detection identifies adversary command and control (C2) activity using protocols on non-standard ports, a technique used to bypass network filtering rules and evade traffic analysis. Attackers may use HTTPS over ports like 8088, 2083, 2087, or 587, HTTP over 8080 or 8008, or arbitrary high ports like 4444, 1337, or 9001 to blend in with legitimate traffic or avoid port-based firewall rules. The detection correlates outbound connections to non-standard ports with high-risk processes (scripting interpreters, LOLBins, spawned shells) and flags known malicious port patterns observed in threat actor infrastructure including WIRTE, PingPull, and Contagious Interview campaigns. Both KQL and SPL queries score events by combining process risk and port suspicion to surface the highest-confidence alerts while suppressing common developer and admin tooling noise.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1571 Non-Standard Port
- Canonical reference
- https://attack.mitre.org/techniques/T1571/
Sumo Detection Query
_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*
| where EventID = "3"
| parse field=Message "Image: *" as process_image nodrop
| parse field=Message "DestinationIp: *" as dest_ip nodrop
| parse field=Message "DestinationPort: *" as dest_port_str nodrop
| parse field=Message "User: *" as username nodrop
| parse field=Message "ParentImage: *" as parent_image nodrop
| parse field=Message "Initiated: *" as initiated nodrop
| where initiated = "true"
| num(dest_port_str) as dest_port
| where !(dest_ip matches /^10\./ or dest_ip matches /^172\.(1[6-9]|2[0-9]|3[01])\./ or dest_ip matches /^192\.168\./)
| eval is_known_c2_port = if(dest_port in (444, 587, 1224, 1337, 2083, 2087, 4443, 4444, 4445, 6666, 6667, 6668, 7777, 8008, 8088, 8888, 9001, 9090, 31337), 1, 0)
| eval process_lower = toLowerCase(process_image)
| eval is_high_risk = if(process_lower matches /.*(\/|\\)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|svchost\.exe)$/, 1, 0)
| eval is_standard_port = if(dest_port in (80, 443, 8080, 8443, 53, 25, 3000, 5000, 9000), 1, 0)
| eval is_non_std_high_risk = if(is_high_risk = 1 and is_standard_port = 0 and dest_port > 1024, 1, 0)
| where is_known_c2_port = 1 or is_non_std_high_risk = 1
| eval risk_score = if(is_high_risk = 1 and is_known_c2_port = 1, 3, if(is_high_risk = 1 and is_non_std_high_risk = 1, 2, if(is_known_c2_port = 1, 1, 0)))
| eval severity = if(risk_score >= 3, "High", if(risk_score = 2, "Medium", "Low"))
| stats count as connection_count, values(dest_ip) as remote_ips, values(dest_port) as ports_used, max(risk_score) as max_risk_score, min(_messageTime) as first_seen, max(_messageTime) as last_seen, values(severity) as alert_severity by _sourceHost, process_image, username, parent_image
| where max_risk_score >= 1
| tourl(_sourceHost, "https://sumologic.com") as host_link
| sort by max_risk_score desc, connection_count desc
| fields _sourceHost, process_image, username, parent_image, ports_used, remote_ips, connection_count, max_risk_score, alert_severity, first_seen, last_seenSumo Logic query detecting non-standard port C2 activity using Sysmon EventID 3 (Network Connection) logs. Parses process image, destination IP/port, and initiating user context, then applies the same risk scoring model as the reference queries — flagging known C2 ports and high-risk LOLBin processes connecting to unexpected ports on public IPs.
Data Sources
Required Tables
False Positives & Tuning
- Package managers and update clients (chocolatey, winget, Windows Update agents invoked via msiexec.exe) may connect to CDN endpoints on non-standard ports — validate destination hostname and correlate with patch maintenance windows
- Development environments with PowerShell-based test harnesses that reach local or staging APIs on high ports will generate false positives — exclude known developer workstation subnet ranges and suppress by machine OU
- SOC tooling such as Velociraptor, OSQuery, or endpoint agents initiated by svchost.exe may communicate on non-standard ports — verify against known security tool inventory and whitelist by destination IP
Other platforms for T1571
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Netcat C2 Listener on Non-Standard Port (Windows)
Expected signal: Sysmon Event ID 3: DestinationPort=4444, Image=powershell.exe, Initiated=true. DeviceNetworkEvents: RemotePort=4444, InitiatingProcessFileName=powershell.exe.
- Test 2HTTPS Beacon Simulation Over Port 8088 (Linux/macOS)
Expected signal: Sysmon/auditd network events: DestinationPort=8088, process=curl or python3. Linux netstat/ss shows ESTABLISHED connections on port 8088.
- Test 3RDP Port Change via Registry (Windows)
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject contains 'RDP-Tcp\PortNumber', Details=33890. DeviceRegistryEvents: RegistryKey contains 'RDP-Tcp', RegistryValueName=PortNumber, RegistryValueData=33890.
- Test 4Beaconing Simulation at Regular Intervals on Non-Standard Port
Expected signal: Sysmon Event ID 3: 10 network connection events, DestinationPort=9001, Image=powershell.exe, at ~60-second intervals. DeviceNetworkEvents shows RegularInterval connections to port 9001.
References (7)
- https://attack.mitre.org/techniques/T1571/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-apt33-espionage
- https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant
- https://securelist.com/wirte-group-attacking-the-middle-east/105635/
- https://unit42.paloaltonetworks.com/pingpull-gallium/
- https://www.group-ib.com/resources/threat-research/silence_moving-into-the-shadows.html
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bilbug-state-sponsored-espionage
Unlock Pro Content
Get the full detection package for T1571 including response playbook, investigation guide, and atomic red team tests.