Network Communication Initiated To Portmap.IO Domain

 1title: Network Communication Initiated To Portmap.IO Domain
 2id: 07837ab9-60e1-481f-a74d-c31fb496a94c
 3status: experimental
 4description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
 5references:
 6    - https://portmap.io/
 7    - https://github.com/rapid7/metasploit-framework/issues/11337
 8    - https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
 9author: Florian Roth (Nextron Systems)
10date: 2024/05/31
11tags:
12    - attack.t1041
13    - attack.command_and_control
14    - attack.t1090.002
15    - attack.exfiltration
16logsource:
17    category: network_connection
18    product: windows
19detection:
20    selection:
21        Initiated: 'true'
22        DestinationHostname|endswith: '.portmap.io'
23    condition: selection
24falsepositives:
25    - Legitimate use of portmap.io domains
26level: medium

References

• Portmap.io - free port forwarding solution

  

  Expose your local PC to Internet from behind firewall and without real IP address

  
  Read More

• Reverse shell with portmap.io · Issue #11337 · rapid7/metasploit-framework

  

  Steps to reproduce How'd you do it? ...I have a general question. ... Is it possible to get a reverse shell with Portmap.io? NOT creating a PAYLOAD. I am using windows/dcerpc/ms03_026_dcom so will ...

  
  Read More

• X Pro

  Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Network Connection Initiated To Cloudflared Tunnels Domains
• OpenCanary - TFTP Request
• APT40 Dropbox Tool User Agent
• Communication To Ngrok Tunneling Service Initiated
• DNS Exfiltration and Tunneling Tools Execution