Volver al hub

Systems Initiating Connections to a High Number of Ports

Detects hosts that establish network connections across a large number of unique ports within a given period. This behavior may indicate port scanning, network reconnaissance, or potentially malicious enumeration activity originating from a compromised host or unauthorized tool. The query aggregates by host and process, listing associated filenames, command lines, and user context to assist with triage.

EDRhuntingT1595T1046
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read

Query

#event_simpleName=/^(NetworkConnectIP4|ProcessRollup2)$/
| falconPID:=TargetProcessId | falconPID:=ContextProcessId
| UserID:=UserSid | UserID:=UID
| selfJoinFilter(field=[aid, falconPID], where=[{#event_simpleName=NetworkConnectIP4}, {#event_simpleName=ProcessRollup2}])
| groupBy([aid, ComputerName, falconPID], function=([
	collect([FileName, CommandLine, UserName, UserID]), 
	count(RemotePort, as=uniquePortCount), 
	collect([RemotePort], separator=", ", limit=25), 
	count(RemoteAddressIP4, distinct=true, as=remoteIPcount)
	]), limit=max)
| FileName=* RemotePort=*
| test(uniquePortCount>25)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.