Cisco NVM - Outbound Connection to Suspicious Port

name: Cisco NVM - Outbound Connection to Suspicious Port
id: fc32a8d5-bc79-4437-b48f-4646ab7bed9d
version: 4
date: '2026-03-10'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
description: |
    The following analytic detects any outbound network connection from an endpoint process to a known suspicious or non-standard port.
    It leverages Cisco Network Visibility Module flow data logs to identify potentially suspicious behavior by looking at processes
    communicating over ports like 4444, 2222, or 51820 are commonly used by tools like Metasploit, SliverC2 or other pentest, red team or malware.
    These connections are worth investigating further, especially when initiated by unexpected or non-network-native binaries.
data_source:
    - Cisco Network Visibility Module Flow Data
search: |
    `cisco_network_visibility_module_flowdata`
    NOT dest IN (
            "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
            "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
            "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
            "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
            "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
            )
    | stats count min(_time) as firstTime max(_time) as lastTime
            values(parent_process_arguments) as parent_process_arguments
            values(process_arguments) as process_arguments
            values(parent_process_hash) as parent_process_hash
            values(process_hash) as process_hash
            values(module_name_list) as module_name_list
            values(module_hash_list) as module_hash_list
            values(dest_port) as dest_port
            values(aliul) as additional_logged_in_users_list
            values(dest_hostname) as dest_hostname
            by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
    | lookup suspicious_ports_list dest_port OUTPUTNEW comment as dest_port_metadata confidence as dest_confidence category as dest_port_category
    | where isnotnull(dest_port_metadata)
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | table
      parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
      process_integrity_level process_path process_name process_arguments process_hash process_id
      additional_logged_in_users_list module_name_list module_hash_list
      src dest_hostname dest dest_port transport firstTime lastTime
    | `cisco_nvm___outbound_connection_to_suspicious_port_filter`
how_to_implement: |
    This search requires Network Visibility Module logs, which includes the flow data sourcetype.
    This search uses an input macro named `cisco_network_visibility_module_flowdata`.
    We strongly recommend that you specify your environment-specific configurations
    (index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
    Replace the macro definition with configurations for your Splunk environment.
    The search also uses a post-filter macro designed to filter out known false positives.
    The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
known_false_positives: |
    Some legitimate applications may use high or non-standard ports, such as alternate SSH daemons or development tools.
    However, many of these ports are commonly used by threat actors for reverse shells or C2 communications.
    Review the associated process and command-line context to determine intent.
references:
    - https://mthcht.medium.com/hunting-for-suspicious-ports-activities-50ef56d5cef
drilldown_searches:
    - name: View the detection results for - "$src$"
      search: '%original_detection_search% | search  src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: The host $src$ established an outbound network connection via the process $process_path$ with the commandline arguments $process_arguments$ to $dest$ over suspicious port $dest_port$.
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects:
        - field: process_name
          type: process_name
tags:
    analytic_story:
        - Cisco Network Visibility Module Analytics
    asset_type: Endpoint
    mitre_attack_id:
        - T1571
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test - Cisco NVM
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
          source: not_applicable
          sourcetype: cisco:nvm:flowdata