Detection: Cisco NVM - Outbound Connection to Suspicious Port

Updated Date: 2025-07-01 ID: fc32a8d5-bc79-4437-b48f-4646ab7bed9d Author: Nasreddine Bencherchali, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects any outbound network connection from an endpoint process to a known suspicious or non-standard port. It leverages Cisco Network Visibility Module flow data logs to identify potentially suspicious behavior by looking at processes communicating over ports like 4444, 2222, or 51820 are commonly used by tools like Metasploit, SliverC2 or other pentest, red team or malware. These connections are worth investigating further, especially when initiated by unexpected or non-network-native binaries.

Search

 1`cisco_network_visibility_module_flowdata`
 2NOT dest IN (
 3        "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", 
 4        "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", 
 5        "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", 
 6        "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", 
 7        "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
 8        )
 9
10| stats count min(_time) as firstTime max(_time) as lastTime
11        values(parent_process_arguments) as parent_process_arguments
12        values(process_arguments) as process_arguments
13        values(parent_process_hash) as parent_process_hash
14        values(process_hash) as process_hash
15        values(module_name_list) as module_name_list
16        values(module_hash_list) as module_hash_list
17        values(dest_port) as dest_port
18        values(aliul) as additional_logged_in_users_list
19        values(dest_hostname) as dest_hostname
20        by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
21
22| lookup suspicious_ports_list dest_port OUTPUTNEW comment as dest_port_metadata confidence as dest_confidence category as dest_port_category
23
24| where isnotnull(dest_port_metadata)
25
26| `security_content_ctime(firstTime)`
27
28| `security_content_ctime(lastTime)`
29
30| table
31  parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
32  process_integrity_level process_path process_name process_arguments process_hash process_id
33  additional_logged_in_users_list module_name_list module_hash_list
34  src dest_hostname dest dest_port transport firstTime lastTime
35
36| `cisco_nvm___outbound_connection_to_suspicious_port_filter`

Data Source

Name	Platform	Sourcetype	Source
Cisco Network Visibility Module Flow Data	Network	`'cisco:nvm:flowdata'`	`'not_applicable'`

Macros Used

Name	Value
cisco_network_visibility_module_flowdata	`sourcetype="cisco:nvm:flowdata"`
cisco_nvm___outbound_connection_to_suspicious_port_filter	`search *`

cisco_nvm___outbound_connection_to_suspicious_port_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1571	Non-Standard Port	Command And Control

Command and Control

DE.AE

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

This search requires Network Visibility Module logs, which includes the flow data sourcetype. This search uses an input macro named cisco_network_visibility_module_flowdata. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Cisco Network Visibility Module logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).

Known False Positives

Some legitimate applications may use high or non-standard ports, such as alternate SSH daemons or development tools. However, many of these ports are commonly used by threat actors for reverse shells or C2 communications. Review the associated process and command-line context to determine intent.

Associated Analytic Story

Cisco Network Visibility Module Analytics

Risk Based Analytics (RBA)

Risk Message:

The host $src$ established an outbound network connection via the process $process_path$ with the commandline arguments $process_arguments$ to $dest$ over suspicious port $dest_port$.

Risk Object	Risk Object Type	Risk Score	Threat Objects
dest	system	30	process_name

References

https://mthcht.medium.com/hunting-for-suspicious-ports-activities-50ef56d5cef

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`not_applicable`	`cisco:nvm:flowdata`
Integration	✅ Passing	Dataset	`not_applicable`	`cisco:nvm:flowdata`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1