LoFP / some legitimate services or custom applications may use non-standard ports for development, remote management, or internal communication. ephemeral ports in test environments may occasionally overlap with ports used in this detection. additional context such as process name, user behavior, or endpoint telemetry should be used to validate suspicious sessions before escalation.

Techniques

• T1021
• T1055
• T1059.001
• T1105
• T1219
• T1571

Sample rules

Cisco Secure Firewall - Communication Over Suspicious Ports

• source: splunk
• technicques:
  • T1021
  • T1055
  • T1059.001
  • T1105
  • T1219
  • T1571

Description

The following analytic detects potential reverse shell activity by identifying connections involving ports commonly associated with remote access tools, shell listeners, or tunneling utilities. It leverages Cisco Secure Firewall Threat Defense logs and monitors destination ports against a list of non-standard, high-risk port values often used in post-exploitation scenarios. Adversaries frequently configure tools like netcat, Meterpreter, or other backdoors to listen or connect over uncommon ports such as 4444, 2222, or 51820 to bypass standard monitoring and firewall rules. If confirmed malicious, this activity may represent command and control (C2) tunneling, lateral movement, or unauthorized remote access.

Detection logic

`cisco_secure_firewall` EventType=ConnectionEvent dest_port IN ("888", "999", "2200", "2222", "4000", "4444", "6789", "8531", "50501", "51820") 
| fillnull value="unknown" url

| stats min(_time) as firstTime max(_time) as lastTime 
      values(src_port) as src_port
      values(url) as url
      values(rule) as rule
      count by src_ip, dest, dest_port, transport, action

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___communication_over_suspicious_ports_filter`