Anomalous New Listening Port

Description

Alerts a series of hosts begin listening on a new port within 24 hours. This may be an indication that the devices have been compromised or have had new (and potentially vulnerable) software installed.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise, Unauthorized Software, Lateral Movement

Alert Volume

Alerts a series of hosts begin listening on a new port within 24 hours. This may be an indication that the devices have been compromised or have had new (and potentially vulnerable) software installed.

SPL Difficulty

Advanced

Journey

Stage 4

MITRE ATT&CK Tactics

Command and Control

MITRE ATT&CK Techniques

Uncommonly Used Port
Commonly Used Port

MITRE Threat Groups

APT18
APT19
APT28
APT29
APT3
APT32
APT33
APT37
Dragonfly 2.0
FIN7
FIN8
Gorgon Group
Group5
Lazarus Group
Magic Hound
Night Dragon
OilRig
TEMP.Veles
Threat Group-3390

Data Sources

Endpoint Detection and Response