external_tcp_12345

Suggest Edits

Explanation

The external_tcp_12345 NDM flags connections on TCP port 12345 coming either inbound to your network from the Internet or outbound from your network to the Internet. Threat actors have been known to use this port for multiple purposes. A threat actor group called UNC3944 redirected port 12345 to RDP (3389) in compromised networks in order to avoid detection by security software. In some cases, outbound traffic to this port may represent malware command and control activity.

What to Look For

For inbound traffic, ensure that the use of port 12345 is expected and authorized on your network. For outbound traffic, investigate the source and destination hosts to look for indications of compromise. Traffic to this port could be innocuous, particularly in cases where communications protocols dynamically assign ports.

Related MITRE ATT&CK Categories

Command and Control TA0011

Updated 13 days ago