Commonly Used Port

From enterprise
Jump to: navigation, search
Commonly Used Port
Technique
ID T1043
Tactic Command and Control
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X
Data Sources Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring
Requires Network Yes

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as

  • TCP:80 (HTTP)
  • TCP:443 (HTTPS)
  • TCP:25 (SMTP)
  • TCP/UDP:53 (DNS)

They may use the protocol associated with the port or a completely different protocol.

For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are

  • TCP/UDP:135 (RPC)
  • TCP/UDP:22 (SSH)
  • TCP/UDP:3389 (RDP)

Examples

  • Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080.1
  • C2 traffic for most Threat Group-3390 tools occurs over ports 53, 80, and 443.2
  • BBSRAT uses HTTP TCP port 80 and HTTPS TCP port 443 for communications.3
  • Cobalt Strike uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols.4
  • Derusbi beacons to destination port 443.5
  • Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.6
  • EvilGrab uses port 8080 for C2.7
  • FTP operates over ports 21 and 20.8
  • One HTTPBrowser variant connected to its C2 server over port 8080.9
  • Hi-Zor communicates with its C2 server over port 443.10
  • LOWBALL command and control occurs via HTTPS over port 443.11
  • Mis-Type communicates over common ports such as TCP 80, 443, and 25.12
  • Misdat network traffic communicates over common ports like 80, 443, or 1433.12
  • Mivast communicates over port 80 for C2.13
  • MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.14
  • Nidiran communicates with its C2 domain over ports 443 and 8443.15
  • PlugX has beaconed to its C2 over port 443.7
  • PowerDuke connects over 443 for C2.16
  • RIPTIDE is a RAT that communicates with HTTP.17
  • RedLeaves uses a specific port of 443 and can also use ports 53 and 80 for C2.7
  • S-Type uses ports 80, 443, and 8080 for C2.12
  • Shamoon has used TCP port 8080 for C2.18

Mitigation

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.19

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.19

References