# wkpsrcdst **Explanation** The wkpsrcdst event in the Netography Fusion Portal is designed to detect and alert security personnel when a connection is established between two privileged ports within the monitored network environment. Privileged ports, also known as well-known ports, are those in the range of 0-1023, and are typically reserved for services provided by the operating system or important applications. Unusual connections between privileged ports may indicate an attempt to exploit a service or gain unauthorized access to sensitive resources. The wkpsrcdst security event is triggered when a connection is established between two privileged ports (ports in the range of 0-1023) on the network. **What to Look For** Consider source and destination IPs, ports, connection frequency and duration, data transferred, user accounts and authentication, and log files and system events when analyzing the wkpsrcdst event. Compare the connection to normal network behavior and initiate incident response if necessary. **Related MITRE ATT\&CK Categories** [Command and Control: Protocol Tunneling, Technique T1572 - Enterprise](https://attack.mitre.org/techniques/T1572) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models/library/post-compromise/wkpsrcdst.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.