Commonly Used Port

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below.

  • TCP:80 (HTTP)
  • TCP:443 (HTTPS)
  • TCP/UDP:53 (DNS)
  • TCP:1024-4999 (OPC on XP/Win2k3)
  • TCP:49152-65535 (OPC on Vista and later)
  • TCP:23 (TELNET)
  • UDP:161 (SNMP)
  • TCP:502 (MODBUS)
  • TCP:102 (S7comm/ISO-TSAP)
  • TCP:20000 (DNP3)
  • TCP:44818 (Ethernet/IP)
ID: T0885
Sub-techniques:  No sub-techniques
Platforms: None
Contributors: Matan Dobrushin - Otorio
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack

During the 2015 Ukraine Electric Power Attack, Sandworm Team used port 443 to communicate with their C2 servers. [1]

S0603 Stuxnet

Stuxnet attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised. [2]

S1009 Triton

Triton uses TriStations default UDP port, 1502, to communicate with devices. [3]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0013 Field I/O
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0012 Jump Host
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0014 Routers
A0010 Safety Controller
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0942 Disable or Remove Feature or Program

Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.

M0804 Human User Authentication

All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.

M0931 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. [4]

M0930 Network Segmentation

Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Monitor for mismatches between protocols and their expected ports (e.g., non-HTTP traffic on tcp:80). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[5]

Network Traffic Flow

Analyze network data for uncommon data flows (e.g., new protocols in use between hosts, unexpected ports in use). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

References