outbound_tcp_4444

Suggest Edits

Explanation

The outbound_tcp_4444 NDM flags connections leaving the customer network to hosts listening on TCP port 4444. Metasploit uses port 4444 by default for shell listeners that are setup after exploitation, so the use of this port could indicate successful exploitation of a remote code execution vulnerability in a running service on the source host.

What to Look For

Exploitation activity leaving your network could be an indication that your network is compromised. Investigate the traffic to determine if it is benign and authorized or if it looks suspicious. If so, investigate the host connecting to port 4444 (the destination IP in this case) to determine if it has been compromised.

Related MITRE ATT&CK Categories

Exploit Public-Facing Application, Techniques T1190

Updated 14 days ago