title: Non-Standard Port (T1571)
id: df00tech-t1571
status: experimental
description: "This detection identifies adversary command and control (C2) activity using protocols on non-standard ports, a technique used to bypass network filtering rules and evade traffic analysis. Attackers may use HTTPS over ports like 8088, 2083, 2087, or 587, HTTP over 8080 or 8008, or arbitrary high ports like 4444, 1337, or 9001 to blend in with legitimate traffic or avoid port-based firewall rules. The detection correlates outbound connections to non-standard ports with high-risk processes (scripting interpreters, LOLBins, spawned shells) and flags known malicious port patterns observed in threat actor infrastructure including WIRTE, PingPull, and Contagious Interview campaigns. Both KQL and SPL queries score events by combining process risk and port suspicion to surface the highest-confidence alerts while suppressing common developer and admin tooling noise."
references:
  - https://attack.mitre.org/techniques/T1571/
  - https://df00tech.com/detections/T1571
author: df00tech
date: 2026/04/21
tags:
  - attack.t1571
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developer tooling and local services running on non-standard ports (e.g., Node.js apps on 3001, Python Flask on 5000, webpack dev server on 8088)"
  - Legitimate email relay over port 587 (SMTP STARTTLS) from mail client processes like outlook.exe or thunderbird.exe
  - cPanel/WHM web hosting control panel using ports 2083 and 2087 for legitimate SSL management
  - "Security scanning tools (Nmap, Nessus, Metasploit listener) run by authorized red team or pentesters"
  - VPN and proxy clients that tunnel legitimate traffic over non-standard ports
level: high