Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.
An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.
APT33 has used HTTP over TCP ports 808 and 880 for command and control.
BADCALL communicates on ports 443 and 8000 with a FakeTLS method.
Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.
BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.
During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.
Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic.
DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.
Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.
FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.
GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.
GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.
HARDRAIN binds and listens on port 443 with a FakeTLS method.
HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.
Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.
Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.
Metamorfo has communicated with hosts over raw TCP on port 9999.
MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.
During Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000.
PoetRAT used TLS to encrypt communications over port 143
QuasarRAT can use port 4782 on the compromised host for TCP callbacks.
RedLeaves can use HTTP over non-standard ports, such as 995, for C2.
Sandworm Team has used port 6789 to accept connections on the group's SSH server.
Silence has used port 444 when sending data about the system from the client to the server.
StrongPity has used HTTPS over port 1402 in C2 communication.
SUGARUSH has used port 4585 for a TCP connection to its C2.
TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.
Some TrickBot samples have used HTTP over ports 447 and 8082 for C2. Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. 
TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.
WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.
ZxShell can use ports 1985 and 1986 in HTTP/S communication.
|M1031||Network Intrusion Prevention||
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment.
|ID||Data Source||Data Component||Detects|
|DS0029||Network Traffic||Network Traffic Content||
Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.
|Network Traffic Flow||
Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port.