splApache-2.0from splunk/security_content

Cisco NVM - Outbound Connection to Suspicious Port

The following analytic detects any outbound network connection from an endpoint process to a known suspicious or non-standard port. It leverages Cisco Network Visibility Module flow data logs to identify potentially suspicious behavior by looking at processes communicating over ports like 4444, 2222, or 51820 are commonly used by tools like Metasploit, SliverC2 or other pentest, red team or malware. These connections are worth investigating further, especially when initiated by unexpected or non-network-native binaries.

Quality

FP risk

—

Forks

Views

Rule source🔒 locked

title: ████████████████████████
id: ████████-████-████-████-████████████
status: ██████████
description: ██████████████████████████████████████████
             ████████████████████████████████████████
author: ████████
tags:
  - attack.████
  - attack.████
logsource:
  product: ████████
  category: ████████████
detection:
  selection:
    Image|endswith: '████████████████'
    CommandLine|contains:
      - '████████████████████████'
      - '████████████████████████'
      - '██████████████████'
  condition: selection
level: ████████
falsepositives:
  - ████████████████████

🔒

Sign in to view the rule source

Free accounts can view the source for the top-ranked rules. Create one in seconds — no credit card required.