Potential Non-Standard Port HTTP/HTTPS connection

edit

Potential Non-Standard Port HTTP/HTTPS connection

edit

Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • OS: macOS
  • Use Case: Threat Detection
  • Tactic: Command and Control
  • Rule Type: BBR

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
network where process.name : ("http", "https")
  and destination.port not in (80, 443)
  and event.action in ("connection_attempted", "connection_accepted")
  and destination.ip != "127.0.0.1"

Framework: MITRE ATT&CKTM