# external\_tcp\_12345

**Explanation**

The external\_tcp\_12345 NDM flags connections on TCP port 12345 coming either inbound to your network from the Internet or outbound from your network to the Internet. Threat actors have been known to use this port for multiple purposes. A threat actor group called UNC3944 redirected port 12345 to RDP (3389) in compromised networks in order to avoid detection by security software. In some cases, outbound traffic to this port may represent malware command and control activity.

**What to Look For**

For inbound traffic, ensure that the use of port 12345 is expected and authorized on your network. For outbound traffic, investigate the source and destination hosts to look for indications of compromise. Traffic to this port could be innocuous, particularly in cases where communications protocols dynamically assign ports.

**Related MITRE ATT\&CK Categories**

[Command and Control: Non-Application Layer Protocol, Technique T1095 - Enterprise](https://attack.mitre.org/techniques/T1095)

[Command and Control: Non-Standard Port, Technique T1571 - Enterprise](https://attack.mitre.org/techniques/T1571)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/post-compromise/external_tcp_12345.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.