The sub-techniques beta is now live! Read the release blog post for more info.

Commonly Used Port

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.

They may use commonly open ports such as

  • TCP:80 (HTTP)
  • TCP:443 (HTTPS)
  • TCP:25 (SMTP)
  • TCP/UDP:53 (DNS)

They may use the protocol associated with the port or a completely different protocol.

ID: T1436
Tactic Type: Post-Adversary Device Access
Tactic: Command And Control, Exfiltration
Platform: Android, iOS
Version: 1.0
Created: 25 October 2017
Last Modified: 19 June 2019

Procedure Examples

Name Description
FinFisher

FinFisher exfiltrates data over commonly used ports, such as ports 21, 53, and 443.[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References