Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
| ID | Name | Description |
|---|---|---|
| S0480 | Cerberus |
Cerberus communicates with the C2 using HTTP requests over port 8888.[1] |
| S1083 | Chameleon | |
| S0405 | Exodus |
Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.[3] |
| S0408 | FlexiSpy |
FlexiSpy can communicate with the command and control server over ports 12512 and 12514.[4] |
| S0463 | INSOMNIA |
INSOMNIA has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.[5] |
| S0485 | Mandrake |
Mandrake has communicated with the C2 server over TCP port 7777.[6] |
| S0539 | Red Alert 2.0 |
Red Alert 2.0 has communicated with the C2 using HTTP requests over port 7878.[7] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | Network Communication |
Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. |
| DS0029 | Network Traffic | Network Traffic Flow |
Many properly configured firewalls may also naturally block command and control traffic over non-standard ports. |