detection.wiki

ATT&CK coverage › Technique

Non-Standard Port T1571

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

Events covered

9 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon3Network connection
Security-Auditing5152The Windows Filtering Platform blocked a packet.
Security-Auditing5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-Auditing5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-Auditing5156The Windows Filtering Platform has permitted a connection.
Security-Auditing5157The Windows Filtering Platform has blocked a connection.
Security-Auditing5158The Windows Filtering Platform has permitted a bind to a local port.
Security-Auditing5159The Windows Filtering Platform has blocked a bind to a local port.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 4 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (9 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
dest_ip2cidr_match 210.0.0.0/8, ::1/128, fe80::/10
Image2starts_with 2C:\Program Files (x86)\, C:\Program Files\
Initiated2eq 2true
DestinationPort2eq 28888, 8080, 13505, 12102, 7210
TimeDeltainSeconds1gt 1TimeDeltaThreshold
BeaconPercent1gt 1PercentBeaconThreshold
src_ip1eq 1nextSrcIpAddr
TotalEvents1gt 1TotalEventsThreshold
ScriptBlockText1match 1 443 , Test-NetConnection, -port

Top indicator values (74 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Initiatedeqtrue240
Imagestarts_withC:\Program Files (x86)\214
dest_ipcidr_match10.0.0.0/8212
dest_ipcidr_matchfe80::/10212
dest_ipcidr_matchfc00::/7212
dest_ipcidr_match192.168.0.0/16212
dest_ipcidr_match172.16.0.0/12212
dest_ipcidr_match169.254.0.0/16212
dest_ipcidr_match::1/128213
dest_ipcidr_match127.0.0.0/8213
Imagestarts_withC:\Program Files\215
TimeDeltainSecondsgtTimeDeltaThreshold1
BeaconPercentgtPercentBeaconThreshold1
TotalEventsgtTotalEventsThreshold1
src_ipeqnextSrcIpAddr1
DestinationPorteq80801
DestinationPorteq88881
DestinationPorteq141021
DestinationPorteq15151
DestinationPorteq135051

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 3 rules

Kusto Query Language 1 rule