Testing Usage of Uncommonly Used Port
Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
Sigma rule (View on GitHub)
1title: Testing Usage of Uncommonly Used Port
2id: adf876b3-f1f8-4aa9-a4e4-a64106feec06
3status: test
4description: |
5 Adversaries may communicate using a protocol and port paring that are typically not associated.
6 For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell
9 - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
10author: frack113
11date: 2022/01/23
12tags:
13 - attack.command_and_control
14 - attack.t1571
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection:
21 ScriptBlockText|contains|all:
22 - Test-NetConnection
23 - '-ComputerName '
24 - '-port '
25 filter:
26 ScriptBlockText|contains:
27 - ' 443 '
28 - ' 80 '
29 condition: selection and not filter
30falsepositives:
31 - Legitimate administrative script
32level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.
Read More
Related rules
- Anydesk Temporary Artefact
- GoToAssist Temporary Installation Artefact
- Installation of TeamViewer Desktop
- Suspicious SSL Connection
- Suspicious Registry Key Added: LanmanServer Parameters