Uncommonly Used Port

From ATT&CK
Jump to: navigation, search
Uncommonly Used Port
Technique
ID T1065
Tactic Command and Control
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Data Sources Netflow/Enclave netflow, Process use of network, Process monitoring
Requires Network Yes

Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.

Examples

  • An APT3 downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81.1
  • Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others.2
  • Group5 C2 servers communicated with malware over TCP 8081, 8282, and 8083.3
  • A variant of ADVSTORESHELL attempts communication to the C2 server over HTTP on port 443.4
  • ELMER uses HTTP over port 443 for command and control.5
  • MobileOrder communicates with its C2 server over TCP port 3728.6
  • A Remsec module has a default C2 port of 13000.7

Mitigation

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.8

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.8