← Back to SOC feed Coverage →

Network Communication Initiated To Portmap.IO Domain

sigma MEDIUM SigmaHQ
T1041T1090.002
imNetworkSession
backdoor
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-05T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors

Detection Rule

Sigma (Original)

title: Network Communication Initiated To Portmap.IO Domain
id: 07837ab9-60e1-481f-a74d-c31fb496a94c
status: test
description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
references:
    - https://portmap.io/
    - https://github.com/rapid7/metasploit-framework/issues/11337
    - https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
author: Florian Roth (Nextron Systems)
date: 2024-05-31
tags:
    - attack.t1041
    - attack.command-and-control
    - attack.t1090.002
    - attack.exfiltration
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.portmap.io'
    condition: selection
falsepositives:
    - Legitimate use of portmap.io domains
level: medium

KQL (Azure Sentinel)

imNetworkSession
| where NetworkDirection =~ "true" and DstHostname endswith ".portmap.io"

Required Data Sources

Sentinel TableNotes
imNetworkSessionEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_portmap.yml