Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088[1] or port 587[2] as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.[3]
ID | Name | Description |
---|---|---|
G0099 | APT-C-36 | |
G0050 | APT32 |
An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.[5] |
G0064 | APT33 |
APT33 has used HTTP over TCP ports 808 and 880 for command and control.[1] |
S0245 | BADCALL |
BADCALL communicates on ports 443 and 8000 with a FakeTLS method.[6] |
S0239 | Bankshot |
Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.[7] |
S0574 | BendyBear |
BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.[8] |
C0018 | C0018 |
During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.[9] |
C0032 | C0032 |
During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.[10] |
S0687 | Cyclops Blink |
Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic.[11] |
G0105 | DarkVishnya |
DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.[12] |
S0021 | Derusbi | |
S0367 | Emotet |
Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.[14][15] |
G0046 | FIN7 |
FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.[16] |
S0493 | GoldenSpy |
GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.[17] |
S0237 | GravityRAT |
GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.[18] |
S0246 | HARDRAIN |
HARDRAIN binds and listens on port 443 with a FakeTLS method.[19] |
S0376 | HOPLIGHT |
HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.[20] |
G0032 | Lazarus Group |
Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.[21][22] |
S1016 | MacMa | |
G0059 | Magic Hound |
Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.[24][25] |
S0455 | Metamorfo |
Metamorfo has communicated with hosts over raw TCP on port 9999.[26] |
S0149 | MoonWind |
MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.[27] |
S0385 | njRAT | |
C0014 | Operation Wocao |
During Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000.[29] |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has used a custom binary protocol over TCP port 443 for C2.[30] |
S1031 | PingPull | |
S0428 | PoetRAT |
PoetRAT used TLS to encrypt communications over port 143[32] |
S0262 | QuasarRAT |
QuasarRAT can use port 4782 on the compromised host for TCP callbacks.[33] |
S0153 | RedLeaves |
RedLeaves can use HTTP over non-standard ports, such as 995, for C2.[34] |
G0106 | Rocke | |
S1078 | RotaJakiro |
RotaJakiro uses a custom binary protocol over TCP port 443.[36] |
S0148 | RTM | |
G0034 | Sandworm Team |
Sandworm Team has used port 6789 to accept connections on the group's SSH server.[38] |
S1085 | Sardonic |
Sardonic has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443.[39] |
G0091 | Silence |
Silence has used port 444 when sending data about the system from the client to the server.[40] |
S0491 | StrongPity |
StrongPity has used HTTPS over port 1402 in C2 communication.[41] |
S1049 | SUGARUSH |
SUGARUSH has used port 4585 for a TCP connection to its C2.[42] |
S0266 | TrickBot |
Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.[43][44][45] Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. [46] |
S0263 | TYPEFRAME |
TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.[47] |
S0515 | WellMail |
WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.[48][49] |
G0090 | WIRTE | |
S0412 | ZxShell |
ZxShell can use ports 1985 and 1986 in HTTP/S communication.[51] |
ID | Mitigation | Description |
---|---|---|
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
M1030 | Network Segmentation |
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0029 | Network Traffic | Network Traffic Content |
Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. |
Network Traffic Flow |
Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port. |