Register to stream ATT&CKcon 2.0 October 29-30

Commonly Used Port

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as

  • TCP:80 (HTTP)
  • TCP:443 (HTTPS)
  • TCP:25 (SMTP)
  • TCP/UDP:53 (DNS)

They may use the protocol associated with the port or a completely different protocol.

For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are

  • TCP/UDP:135 (RPC)
  • TCP/UDP:22 (SSH)
  • TCP/UDP:3389 (RDP)
ID: T1043
Tactic: Command And Control
Platform: Linux, macOS, Windows
Data Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring
Requires Network:  Yes
Version: 1.0

Mitigations

Mitigation Description
Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. [1]
Network Segmentation Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.

Examples

Name Description
ADVSTORESHELL A variant of ADVSTORESHELL attempts communication to the C2 server over HTTP on port 443. [38]
APT18 APT18 uses port 80 for C2 communications. [79] [80]
APT19 APT19 used TCP port 80 for C2. [71]
APT29 APT29 has used Port Number 443 for C2. [85]
APT3 APT3 uses commonly used ports (like HTTPS/443) for command and control. [77]
APT32 APT32 has used port 80 for C2 communications. [31] [78]
APT33 APT33 has used port 443 for command and control. [60]
APT37 APT37 has used port 8080 for C2. [76]
AuditCred AuditCred has used Port Number 443 for C2 communications. [41]
BADCALL BADCALL uses port 8000 and 443 for C2. [5]
BadPatch BadPatch uses port 26 for C2 communications. [39]
BBSRAT BBSRAT uses HTTP TCP port 80 and HTTPS TCP port 443 for communications. [34]
Bisonal Bisonal uses 443 for C2 communications. [36]
Briba Briba connects to external C2 infrastructure over port 443. [35]
Calisto Calisto attempted to contact the C2 server over TCP using port 80. [22]
Carbanak Carbanak uses Port Numbers 443 and 80 for the C2 server. [30]
Carbon Carbon uses port 80 for C2 communications. [11]
Cardinal RAT Cardinal RAT is downloaded using HTTP over port 443. [14]
Cobalt Strike Cobalt Strike uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols. [3]
Comnie Comnie uses Port Numbers 80, 8080, 8000, and 443 for communication to the C2 servers. [46]
Denis Denis uses port 53 for C2 communications. [31]
Derusbi Derusbi beacons to destination port 443. [54]
Dragonfly 2.0 Dragonfly 2.0 used SMB over ports 445 or 139 for C2. The group also established encrypted connections over port 443. [83] [84]
Duqu Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols. [6]
Ebury Ebury has used UDP port 53 for C2. [62]
ELMER ELMER uses HTTP over port 443 for command and control. [13]
Emotet Emotet has used ports 20, 22, 80, 443, 8080, and 8443. [56] [57] [58] [59]
Empire Empire can conduct command and control over commonly used ports like 80 and 443. [4]
EvilGrab EvilGrab uses port 8080 for C2. [42]
FELIXROOT FELIXROOT uses Port Numbers 443, 8443, and 8080 for C2 communications. [19] [20]
FIN7 FIN7 has used ports 53, 80, 443, and 8080 for C2. [82]
FIN8 FIN8 has tunneled RDP backdoors over port 443. [70]
FlawedAmmyy FlawedAmmyy has used port 443 for C2. [63]
FlawedGrace FlawedGrace has used port 443 for C2 communications. [64]
FTP FTP operates over ports 21 and 20. [2]
gh0st RAT gh0st RAT uses port 443 for C2 communications. [44]
HARDRAIN HARDRAIN binds and listens on port 443. [37]
HAWKBALL HAWKBALL has sent HTTP GET requests over port 443 for C2. [68]
Hi-Zor Hi-Zor communicates with its C2 server over port 443. [23]
HOPLIGHT HOPLIGHT has connected outbound over TCP port 443. [61]
HTTPBrowser One HTTPBrowser variant connected to its C2 server over port 8080. [7]
InvisiMole InvisiMole uses port 80 for C2. [33]
Ixeshe Ixeshe has used TCP port 443 for C2. [65]
KeyBoy KeyBoy calls back to the C2 server over ports 53, 80, and 443. [66] [67]
KEYMARBLE KEYMARBLE uses port 443 for C2. [50]
Lazarus Group Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080. [73] [74]
Linux Rabbit Linux Rabbit checks to see if an SSH server is listening on port 22. [55]
LOWBALL LOWBALL command and control occurs via HTTPS over port 443. [9]
Magic Hound Magic Hound malware has communicated with C2 servers over port 6667 (for IRC) and port 8080. [69]
MirageFox MirageFox uses port 80 for C2. [16]
Mis-Type Mis-Type communicates over common ports such as TCP 80, 443, and 25. [12]
Misdat Misdat network traffic communicates over common ports like 80, 443, or 1433. [12]
Mivast Mivast communicates over port 80 for C2. [25]
MoonWind MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports. [32]
Naid Naid connects to external C2 infrastructure over port 443. [47]
Nidiran Nidiran communicates with its C2 domain over ports 443 and 8443. [48]
Night Dragon Night Dragon has used ports 25 and 80 for C2 communications. [81]
OceanSalt OceanSalt uses Port Number 8080 for C2. [40]
Pasam Pasam connects to external C2 infrastructure and opens a backdoor over port 443. [26]
PlugX PlugX has beaconed to its C2 over port 443. [42] [43]
PowerDuke PowerDuke connects over 443 for C2. [51]
POWERSTATS POWERSTATS has used port 80 for C2. [49]
POWERTON POWERTON has used port 443 for C2 traffic. [60]
Proxysvc Proxysvc uses port 443 for the control server communications. [10]
RATANKBA RATANKBA uses port 443 for C2. [21]
RedLeaves RedLeaves uses a specific port of 443 and can also use ports 53 and 80 for C2. One RedLeaves variant uses HTTP over port 443 to connect to its C2 server. [42] [52]
RIPTIDE RIPTIDE is a RAT that communicates with HTTP. [53]
S-Type S-Type uses ports 80, 443, and 8080 for C2. [12]
ServHelper ServHelper has used port 80 and 443 for C2. [64]
Shamoon Shamoon has used TCP port 8080 for C2. [24]
TEMP.Veles TEMP.Veles has used port 443 for C2. [86]
Threat Group-3390 C2 traffic for most Threat Group-3390 tools occurs over Port Numbers 53, 80, and 443. [75]
TrickBot TrickBot uses port 443 for C2 communications. [17] [18]
Tropic Trooper Tropic Trooper can use ports 443 and 53 for C2 communications via malware called TClient. [72]
TYPEFRAME TYPEFRAME variants can use ports 443, 8443, and 8080 for communications. [15]
UBoatRAT UBoatRAT uses ports 80 and 443 for C2 communications. [45]
Volgmer Some Volgmer variants use ports 8080 and 8000 for C2. [27] [28] [29]
Wiarp Wiarp connects to external C2 infrastructure over the HTTP port. [8]

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [1]

References

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  2. Wikipedia. (2016, June 15). File Transfer Protocol. Retrieved July 20, 2016.
  3. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  4. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  5. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  6. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  7. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  8. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  9. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  10. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  11. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  12. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  13. Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  14. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  15. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  16. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  17. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  18. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  19. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  20. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  21. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  22. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  23. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  24. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  25. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  26. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  27. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  28. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  29. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  30. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  31. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  32. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  33. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  34. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  35. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  36. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  37. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  38. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  39. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  40. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  41. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  42. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  43. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  1. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  2. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  3. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  4. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
  5. DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
  6. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  7. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  8. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  9. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  10. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  11. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  12. Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.
  13. CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.
  14. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  15. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  16. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  17. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  18. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  19. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  20. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  21. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  22. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  23. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  24. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  25. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  26. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  27. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  28. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  29. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  30. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  31. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  32. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  33. Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.
  34. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  35. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  36. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  37. Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.
  38. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  39. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  40. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  41. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  42. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  43. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.