Non-Standard Port T1571

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

Events covered

9 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 4 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (9 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
DestinationPort2eq 2100, 10101, 12102, 8080, 8888
Image2starts_with 2c:\program files (x86)\, c:\program files\
Initiated2eq 2true
dest_ip2cidr_match 210.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16
BeaconPercent1gt 180
ScriptBlockText1contains 1 443 , 80 , -computername
TimeDeltainSeconds1gt 110
TotalEvents1gt 115
src_ip1eq 1nextSrcIpAddr

Top indicator values (74 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Imagestarts_with
c:\program files (x86)\
219
Imagestarts_with
c:\program files\
220
Initiatedeq
true
248
dest_ipcidr_match
10.0.0.0/8
215
dest_ipcidr_match
127.0.0.0/8
216
dest_ipcidr_match
169.254.0.0/16
215
dest_ipcidr_match
172.16.0.0/12
215
dest_ipcidr_match
192.168.0.0/16
215
dest_ipcidr_match
::1/128
216
dest_ipcidr_match
fc00::/7
215
dest_ipcidr_match
fe80::/10
215
BeaconPercentgt
80
1
DestinationPorteq
100
1
DestinationPorteq
10101
1
DestinationPorteq
12102
1
DestinationPorteq
12103
1
DestinationPorteq
12322
1
DestinationPorteq
13145
1
DestinationPorteq
13394
1
DestinationPorteq
13504
1
DestinationPorteq
13505
1
DestinationPorteq
13506
1
DestinationPorteq
13507
1
DestinationPorteq
14102
1
DestinationPorteq
14103
1
DestinationPorteq
14154
1
DestinationPorteq
1443
1
DestinationPorteq
1515
1
DestinationPorteq
1777
1
DestinationPorteq
1817
1

Exclusions (12 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
dest_ipcidr_match
10.0.0.0/8
3
dest_ipcidr_match
127.0.0.0/8
3
dest_ipcidr_match
169.254.0.0/16
3
dest_ipcidr_match
172.16.0.0/12
3
dest_ipcidr_match
192.168.0.0/16
3
dest_ipcidr_match
::1/128
2
dest_ipcidr_match
fc00::/7
2
dest_ipcidr_match
fe80::/10
2
Imagestarts_with
c:\program files (x86)\
2
Imagestarts_with
c:\program files\
2
ScriptBlockTextcontains
443
1
ScriptBlockTextcontains
80
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 3 rules

Kusto 1 rule