Explanation

The wkpsrcdst event in the Netography Fusion Portal is designed to detect and alert security personnel when a connection is established between two privileged ports within the monitored network environment. Privileged ports, also known as well-known ports, are those in the range of 0-1023, and are typically reserved for services provided by the operating system or important applications. Unusual connections between privileged ports may indicate an attempt to exploit a service or gain unauthorized access to sensitive resources. The wkpsrcdst security event is triggered when a connection is established between two privileged ports (ports in the range of 0-1023) on the network.

What to Look For

Consider source and destination IPs, ports, connection frequency and duration, data transferred, user accounts and authentication, and log files and system events when analyzing the wkpsrcdst event. Compare the connection to normal network behavior and initiate incident response if necessary.

Related MITRE ATT&CK Categories

Protocol Tunneling, Technique T1572 - Enterprise