registered_ports_ext_int

Explanation

The registered_ports_ext_int NDM looks for any traffic accepted onto your network from the Internet on IANA registered ports. These ports are less commonly exposed to the Internet than well-known ports and might represent a misconfiguration, untracked servers, or malicious activity.

What to Look For

It's a good idea to tune this NDM to exempt IPs and ports that you expect to be accessible from the Internet, and then to investigate all other events. Some malware may open ports for a short amount of time, so it's recommended to investigate events even if they are not currently active. Check your network and endpoint logs for any suspicious activity related to the identified ports and take appropriate remediation steps to mitigate any security risks.

Related MITRE ATT&CK Categories

System Service Discovery, Technique T1007 - Enterprise
Remote Services, Technique T1021 - Enterprise
Traffic Signaling, Technique T1205 - Enterprise