Uncommonly Used Port

Adversaries may use non-standard ports to exfiltrate information.

ID: T1509
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Command And Control
Platforms: Android, iOS
Version: 1.0
Created: 01 August 2019
Last Modified: 11 September 2019

Procedure Examples

Name Description
Cerberus

Cerberus communicates with the C2 over port 8888.[4]

Exodus

Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.[2]

FlexiSpy

FlexiSpy can communicate with the command and control server over ports 12512 and 12514.[1]

INSOMNIA

INSOMNIA has communicated with the C2 over TCP ports 43111, 43223, and 43773.[3]

Mitigations

Mitigation Description
Application Vetting

Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs.

Detection

Detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.

References