This note documents detection patterns related to Unexpected Ports on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|
ss -tulpn | listener on uncommon high port | Suspicious service | Critical | Strong runtime signal. |
netstat -tulpn | unknown process bound | Active payload/listener | Critical | Immediate attribution needed. |
lsof -i | hidden/temp binary owns port | Malicious listener | Critical | Strong compromise clue. |
| Shell history | nc -lvp | Manual listener | Critical | Common reverse shell handler / pivot. |
| Shell history | python -m http.server | Ad hoc file server | High | Often payload transfer. |
| Shell history | socat TCP-LISTEN | Tunnel/listener | Critical | Strong operator indicator. |
| Firewall logs | new inbound port | Exposure change | Critical | Strong operational clue. |
| Auditd | listener command execution | Process attribution | Critical | Best attribution if enabled. |
| Journald | service binds unexpected port | Runtime clue | High | Useful service context. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| Port appears after foothold | Payload activation | Critical | Strong compromise chain. |
| Temp binary owns listener | High-confidence malicious | Critical | Strong signal. |
| Listener plus outbound callback | Full C2 behavior | Critical | Very high severity. |
| High port under service account | Suspicious context | Critical | Often exploitation-driven. |
| Listener disappears quickly | Short-lived staging | High | Common operator behavior. |
Common Tools
| Tool | Usage |
|---|
ss | Socket enumeration. |
netstat | Legacy socket review. |
lsof | PID attribution. |
nc | Simple listener. |
python -m http.server | Temporary transfer port. |
socat | Flexible listener/relay. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|
| Live sockets | ss -tulpn | Critical | Runtime truth. |
| Process path | /proc/<pid>/exe | Critical | Binary attribution. |
| Shell history | .bash_history | Critical | Launch evidence. |
| Audit logs | /var/log/audit/audit.log | Critical | Process attribution. |
MITRE ATT&CK References
- T1046 Network Service Scanning
- T1571 Non-Standard Port
- T1090 Proxy
Decision Tree
- Which port is unexpected?
- Which process owns it?
- Is process legitimate?
- Is port linked to tunnel, payload, or transfer?
Example Detection Templates
Grep
grep -R "nc -lvp\|python -m http.server\|socat TCP-LISTEN" /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep -E "listen|bind"
File Inspection
ss -tulpn
lsof -i
Sigma
title: Linux Unexpected Ports
id: linux-unexpected-ports
status: experimental
description: Detects suspicious listeners on uncommon ports
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'nc -lvp'
- 'socat TCP-LISTEN'
condition: selection_keywords
level: high
tags:
- attack.command_and_control
- attack.t1571
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|
| Socket monitoring | Alert on new listeners | Critical | Strong runtime detection. |
| Firewall policy | Restrict high-port exposure | Critical | Reduces rogue listeners. |
| Process attribution | Review listener owners | High | Fast triage. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|
| Which PID owns port? | lsof / ss | Core truth. |
| Is binary expected? | /proc path | Suspicion scoring. |
| Is port linked to payload? | history + process | Full chain. |
