MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1571: Non-Standard Port

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

network_devices_abnormal_activity: PT-CR-476: UDP_fragments: Suspicious UDP traffic is detected
mitre_attck_command_and_control: PT-CR-467: Suspicious_Connection: A network request made by executable files is detected
mitre_attck_command_and_control: PT-CR-611: Suspicious_Connection_after_Imageload: A process opened a network connection after loading a library
mitre_attck_command_and_control: PT-CR-612: Suspicious_Connection_System_Process: A process accessed a network address

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port.

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Mitigation

IDM1030NameNetwork SegmentationDescription

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment.

IDM1031NameNetwork Intrusion PreventionDescription

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.