some legitimate applications may use high or non-standard ports, such as alternate ssh daemons or development tools. however, many of these ports are commonly used by threat actors for reverse shells or c2 communications. review the associated process and command-line context to determine intent.

Techniques

T1571

Sample rules

Cisco NVM - Outbound Connection to Suspicious Port

source: splunk
technicques:
- T1571

Description

The following analytic detects any outbound network connection from an endpoint process to a known suspicious or non-standard port. It leverages Cisco Network Visibility Module flow data logs to identify potentially suspicious behavior by looking at processes communicating over ports like 4444, 2222, or 51820 are commonly used by tools like Metasploit, SliverC2 or other pentest, red team or malware. These connections are worth investigating further, especially when initiated by unexpected or non-network-native binaries.

Detection logic

`cisco_network_visibility_module_flowdata`
NOT dest IN (
        "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", 
        "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", 
        "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", 
        "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", 
        "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
        )

| stats count min(_time) as firstTime max(_time) as lastTime
        values(parent_process_arguments) as parent_process_arguments
        values(process_arguments) as process_arguments
        values(parent_process_hash) as parent_process_hash
        values(process_hash) as process_hash
        values(module_name_list) as module_name_list
        values(module_hash_list) as module_hash_list
        values(dest_port) as dest_port
        values(aliul) as additional_logged_in_users_list
        values(dest_hostname) as dest_hostname
        by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport

| lookup suspicious_ports_list dest_port OUTPUTNEW comment as dest_port_metadata confidence as dest_confidence category as dest_port_category

| where isnotnull(dest_port_metadata)

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| table
  parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
  process_integrity_level process_path process_name process_arguments process_hash process_id
  additional_logged_in_users_list module_name_list module_hash_list
  src dest_hostname dest dest_port transport firstTime lastTime

| `cisco_nvm___outbound_connection_to_suspicious_port_filter`