Hunting for suspicious ports activities

mthcht
5 min readAug 7, 2023

--

Using the list of suspicious ports: https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_ports_list.csv (updated regularly)

dest_port,metadata.comment,metadata.confidence
666,multiple malwares and legit usages,medium
801,manjusaka (cobalstrike chinese clone) default panel ui,medium
1015,Doly trojan,high
1025,multiples malwares,low
1030,multiples malwares and legit usages,low
1042,Bla trojan,high
1075,Backdoor.Win32.LanaFTP.k listening on this port,high
1080,multiple malwares + ligolo pentest tool default port + SOCKS proxy,medium
1170,Psyber Stream Server - PSS,high
1234,Ultors trojan but also vlc and some games,medium
1241,Nessus default port,medium
1243,SubSeven backdoor,high
1337,empire + crackmapexec + icebreaker + KittyStager default port. the port is also associated with various other types of exploits or shellcode,high
1981,Shockrave malware,high
1999,SubSeven trojan but also used by citrix and cisco,low
2001,Millennium Worm and multiple malwares,medium
2222,DoHC2 + externalc2 + some Qakbot C2 traffic and other trojans but also massively used legitimatly to host ssh servers,info
2766,The Infector trojan and legit usages,low
2773,SubSeven trojan and some backup services,medium
2989,multiple RAT,high
3000,ptunnel-ng + beefproject http panel default port,medium
3001,Nessus Security Scanner and other legit usages,low
3024,WinCrash trojan,high
3030,nuages C2 default port and other malwares,high
3128,proxy default port abused by quasarrat and multiple other malwares,info
3129,Master's Paradise trojan,high
3200,manjusaka (cobalstrike chinese clone) default panel ui,medium
3410,Optix Pro trojan,high
4000,ptunnel-ng + multiple malwares and RAT but also some legit usages,medium
4041,Masters Paradise trojan,high
4092,WinCrash trojan,high
4444,Default listener port for Metasploit,high
4051,AlanFramework C2 default port but also used by cisco P2P,high
4433,AlanFramework C2 default port and Acidoor backdoor,high
4567,PrimusC2 + File Nail trojan and legit usage for verizon,medium
4590,ICQTrojan,high
4782,Quasar default port,high
5000,hardhatC2 and HRShell default port + other malwares and legit usages,medium
5001,FudgeC2 + spiderfoot and other malwares but also used by synology NAS and yahoo messenger,medium
5002,multiple malwares and legit usages,low
5096,hardhatC2 default port,high
5321,Firehotcker trojan,high
5400,BladeRunner and Back Construction trojans but also some games,medium
5500,droidjack RAT but also VNC default port,medium
5556,AlanFramework C2 default port and H0rtiga trojan,high
5650,'pizza trojan' lite manager remote desktop and AeroAdmin,medium
5651,lite manager remote desktop,medium
5655,AeroAdmin and some legit usages,medium
5800,VNC default port,medium
5900,VNC default port (5900–5910),medium
5901,VNC default port (5900–5910),medium
5902,VNC default port (5900–5910),medium
5903,VNC default port (5900–5910),medium
5904,VNC default port (5900–5910),medium
5905,VNC default port (5900–5910),medium
5906,VNC default port (5900–5910),medium
5907,VNC default port (5900–5910),medium
5908,VNC default port (5900–5910),medium
5909,VNC default port (5900–5910),medium
5910,VNC default port (5900–5910),medium
5938,teamviewer default port,medium
6129,DameWare Remote Control,medium
6130,DameWare Remote Control,medium
6132,DameWare Remote Control internet proxy,medium
6133,DameWare Remote Control mobile gateway,medium
6568,anydesk default port,medium
6666,kali default port - IRC botnets and RAT,high
6667,IRC channel used by botnet and multiple malwares but also legit usages,medium
6783,Splashtop Remote,medium
6784,Splashtop Remote,medium
6785,Splashtop Remote,medium
7070,observed used with powershell empire and anydesk but mostly legit usage,low
7096,hardhatC2 default port and other legit usages,high
7443,covenant C2 or mythic C2 default port and legit usages for vmware and oracle,low
7444,mythic C2 default port and legit vmware port,medium
7474,default port for bloodhound neo4j,medium
7687,Neo4j default port,medium
8022,MaccaroniC2 default port,high
8040,ConnectWise Control,medium
8041,ConnectWise Control,medium
8080,AlanFramework C2 default port + Browser-C2 + KittyStager + Ares C2 + malwares and rat observed with this port but used by many many legitimate services but still worth hunting for,info
8081,AlanFramework C2 + mip22 + Browser-C2 default port example but also lots of legitimate services,low
8200,GoToMyPC and gotomeeting,medium
8443,AlanFramework C2 default port but also many other legitimate services,low
8848,DcRat,medium
8888,POSHC2 default port but also legit usages,medium
8999,PrimusC2,medium
9050,default port used by the Tor network for its SOCKS proxy also used by MaccaroniC2 proxy,high
9051,default port used by the Tor network for the controller,high
9090,impacket and other legit usages,low
9631,hardhatC2 default port and other legit usages,high
9988,Rbot-GR trojan and other legit usages,medium
9999,rpivot + DarkComet + netcat listener default port examples but also legit usages,low
10002,multiple malwares,medium
10110,Proxot malware,low
10426,Backdoor.Win32.Agent.cu, medium
10666,ambush trojan,low
12122,Backdoor.Hellza server listening on this port,medium
12345,netbus trojan and other malwares,high
12346,netbus trojan and other malwares,high
17300,Kuang2 trojan,high
20034,netbus trojan and other malwares,high
21802,hardhatC2 default port,high
27374,SubSeven backdoor and multiple other malwares,high
30662,o365-attack-toolkit default port,high
31335,Trinoo distributed attack tool port,high
31337,SliverC2 + ThunderShell default port + Back Orifice backdoor. also associated with various other types of exploits or shellcode,high
31338,Back Orifice backdoor and other malwares,high
31785,Hack'a'Tack RAT,high
31789,Hack'a'Tack RAT,high
35000,evilqr,medium
48101,W32.Blastclan.Worm,high
50050,sharpc2 and cobaltstrike default port,high
53531,dnscat2 default port,high
54320,Back Orifice backdoor,medium
55553,Metasploit RPC daemon default port also used by Armitage team server,high
57230,covenant C2 default port,high
61466,Backdoor:Win32/Thething.F and telecommando trojan,medium
65000,Devil RAT,medium
  • dest_port: suspicious destination port
  • metadata.comment: short description
  • metadata.confidence: confidence level for low false positive result (low — medium — high)

Detection rule with Splunk:

High confidence detection rule search:

`myfirewall` src_ip IN (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12)
NOT (dest_ip IN (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12))
| lookup suspicious_ports_list.csv dest_port OUTPUT metadata.comment as comment metadata.confidence as confidence
| where confidence=high
| stats values(index)
values(sourcetype)
values(vendor_product)
earliest(_time) as firsttime
latest(_time) as lasttime
values(action)
values(dest_ip)
values(dest_port)
values(protocol)
values(comment)
values(confidence)
count by src_ip
| rename values(*) as *
| convert ctime(*time)
  • `myfirewall` : custom macro to get firewall logs (replace with your index and sourcetype, tags or your own macro)
    `src_ip IN (...) ... NOT (dest_ip IN(...)` : only search for internal source IP address requesting external IP address.
  • `suspicious_ports_list.csv` : our csv list of suspicious port uploaded on the SIEM
  • `lookup suspicious_ports_list.csv dest_port OUTPUT metadata.comment as comment metadata.confidence as confidence : use the lookup suspicious_ports_list.csv to search matching dest_port in the firewall logs

And group the result by src_ip, this will show you all the internal source IP making requests to extenal dest_ip on the suspicious destination ports of the list.

Before deploying this detection rule, make sure to exclude legitimate internal vulnerability scanners within your environment and if some of your supervised machines are exposed on the internet (DMZ) you should filter on the tcp flag (a field that you should be able to add in your logs for most firewall solutions) only keep the initiated requests by your exposed servers and excluded the responses (FIN, RST…) usually a number is associated with each flag for each firewall solution.

All results (Threat Hunting)

`myfirewall` src_ip IN (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12)
NOT (dest_ip IN (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12))
| lookup suspicious_ports_list.csv dest_port OUTPUT metadata.comment as comment metadata.confidence as confidence
| stats values(index)
values(sourcetype)
values(vendor_product)
earliest(_time) as firsttime
latest(_time) as lasttime
values(action)
values(dest_ip)
values(dest_port)
values(protocol)
count by src_ip confidence comment
| rename values(*) as *
| convert ctime(*time)

Here we just removed the filter on the ports with high confidence scores. It’s essential to begin with this step, as environments can vary greatly.

What might be classified as a high confidence port in one context could be considered a low confidence port in another, depending on the obscure solutions utilized in your specific environment.

Therefore, careful assessment and triage are critical to make the detection rule relevant.

--

--

mthcht
mthcht

Written by mthcht

Threat Hunting - DFIR - Detection Engineering

No responses yet