This note documents detection patterns related to Suspicious Inbound Connections within Windows environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Sysmon	3	Network connection	Critical	Detect inbound network sessions reaching host processes.
Security	5156	Windows Filtering Platform allowed connection	Critical	Native inbound permit telemetry.
Security	5158	Bind to local port	Critical	Detects processes opening listening ports.
Sysmon	1	Process creation	Critical	Identifies listening process or payload started before inbound traffic.
Security	4688	Process creation	High	Parent-child correlation.
Sysmon	22	DNS query	Medium	Useful when inbound listener later resolves outbound C2.
Firewall Logs	N/A	External source visibility	High	Valuable for source IP analysis.
EDR Telemetry	N/A	Process-network lineage	Critical	Full inbound session attribution.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Rare listening port	New port outside baseline	Critical	Strong listener indicator.
Userland binary listening	Temp/AppData binary opens socket	Critical	High malware probability.
LOLBIN opens listener	powershell, cmd, rundll32	Critical	Reverse shell or staging behavior.
External source to workstation	Unexpected inbound from internet	Critical	Very high-value anomaly.
SYSTEM service new listener	Service context bind	High	Persistence or implant listener.
Short-lived bind then child shell	Listener accepts then spawns shell	Critical	Reverse shell / bind shell indicator.
Admin share inbound with odd source	SMB from unusual host	High	Lateral movement possibility.

Common Tools

Tool	Usage
PowerShell	Listener / reverse shell
netcat	Bind shell
nc.exe	Simple inbound shell
socat	Port relay / listener
python.exe	HTTP or socket listener
rundll32.exe	Proxy listener payload
custom implant	Bind port or staged callback receiver

Relevant Artifacts

Sysmon Event IDs 3, 1, 22
Security Event IDs 5156, 5158, 4688
Firewall logs
Netstat snapshot
EDR network lineage
Prefetch for listening binary
Amcache for payload
ShimCache traces
MFT / USN if dropped listener binary

MITRE ATT&CK References

T1571 Non-Standard Port
T1105 Ingress Tool Transfer
T1071 Application Layer Protocol
T1021 Remote Services

Decision Tree

Which process accepted inbound connection?
- Image path
- Parent process
Port expected?
- Baseline service?
- Rare port?
Source trusted?
- Internal host
- External IP
- Repeated source
Did child process spawn?
- Shell
- Downloader
- Service action
Expand:
- Additional listeners
- Persistence
- Outbound follow-up
Scope:
- Single host
- Lateral movement
- External exposure

Example Detection Templates

KQL

SecurityEvent
| where EventID == 5158
| project TimeGenerated, Computer, ProcessName, SourcePort

Sysmon
| where EventID == 3
| project TimeGenerated, Computer, Image, SourceIp, DestinationPort

EQL

network where event.type == "start"

sequence by host.name with maxspan=5m
  [ process where process.name != null ]
  [ network where source.ip != null ]

Sigma

title: Suspicious Inbound Connection
id: 2f7b18a0-inbound-detection
status: experimental
description: Detects suspicious inbound network activity to unusual processes or ports
references:
  - https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
  product: windows
detection:
  selection:
    EventID:
      - 5158
      - 5156
  condition: selection
fields:
  - ProcessName
  - SourcePort
falsepositives:
  - Legitimate services
level: high
tags:
  - attack.command_and_control
  - attack.lateral_movement

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Port baseline	Track expected listeners	Critical	Detect drift quickly
Firewall restrictions	Limit inbound exposure	Critical	Reduce listener success
Sysmon network logging	Enable Event 3	Critical	Core visibility
Bind monitoring	Alert on new listeners	High	Detect bind shells early
EDR lineage	Preserve process-network ancestry	Critical	Essential triage source