Commonly Used Port
|Commonly Used Port|
|Tactic||Command and Control|
|Platform||Linux, macOS, Windows|
|Data Sources||Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring|
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as
- TCP:80 (HTTP)
- TCP:443 (HTTPS)
- TCP:25 (SMTP)
- TCP/UDP:53 (DNS)
They may use the protocol associated with the port or a completely different protocol.
For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are
- TCP/UDP:135 (RPC)
- TCP/UDP:22 (SSH)
- TCP/UDP:3389 (RDP)
- APT3 uses commonly used ports (like HTTPS/443) for command and control. 1
- APT37 has used port 8080 for C2.2
- Dragonfly established encrypted connections over port 443.3
- FIN8 has tunneled RDP backdoors over port 443.4
- Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080.5
- Magic Hound malware has communicated with C2 servers over port 6667 (for IRC) and port 8080.6
- C2 traffic for most Threat Group-3390 tools occurs over ports 53, 80, and 443.7
- A variant of ADVSTORESHELL attempts communication to the C2 server over HTTP on port 443.8
- BBSRAT uses HTTP TCP port 80 and HTTPS TCP port 443 for communications.9
- Briba connects to external C2 infrastructure over port 443.10
- Cobalt Strike uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols.11
- Derusbi beacons to destination port 443.12
- Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.13
- ELMER uses HTTP over port 443 for command and control.14
- EvilGrab uses port 8080 for C2.15
- FTP operates over ports 21 and 20.16
- One HTTPBrowser variant connected to its C2 server over port 8080.17
- Hi-Zor communicates with its C2 server over port 443.18
- LOWBALL command and control occurs via HTTPS over port 443.19
- Mis-Type communicates over common ports such as TCP 80, 443, and 25.20
- Misdat network traffic communicates over common ports like 80, 443, or 1433.20
- Mivast communicates over port 80 for C2.21
- MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.22
- Naid connects to external C2 infrastructure over port 443.23
- Nidiran communicates with its C2 domain over ports 443 and 8443.24
- POWERSTATS has used port 80 for C2.25
- Pasam connects to external C2 infrastructure and opens a backdoor over port 443.26
- PlugX has beaconed to its C2 over port 443.15
- PowerDuke connects over 443 for C2.27
- RIPTIDE is a RAT that communicates with HTTP.28
- RedLeaves uses a specific port of 443 and can also use ports 53 and 80 for C2.15
- S-Type uses ports 80, 443, and 8080 for C2.20
- Shamoon has used TCP port 8080 for C2.29
- Volgmer has communicated to its C2 server over port 8080.30
- connects to external C2 infrastructure over the HTTP port.31
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.32
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.32
- Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
- Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
- Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
- Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
- Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Wikipedia. (2016, June 15). File Transfer Protocol. Retrieved July 20, 2016.
- Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
- Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
- DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
- Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
- Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
- Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.