Technique on mitre.org

T1571: Non-Standard Port

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

network_devices_abnormal_activity: PT-CR-476: UDP_Fragments: Suspicious UDP traffic is detected mitre_attck_command_and_control: PT-CR-612: Subrule_Connection_System_Process: A process with system privileges opened a network connection mitre_attck_command_and_control: PT-CR-467: Suspicious_Connection: A network request made by executable files is detected mitre_attck_command_and_control: PT-CR-2814: Suspicious_Connection_System_Process: A network connection established by a process with system privileges after the process was accessed, a thread was established in the process address space, a suspicious DLL library was loaded, or a child process was started mitre_attck_command_and_control: PT-CR-611: Suspicious_Connection_After_Imageload: A process opened a network connection after loading a library mitre_attck_command_and_control: PT-CR-2808: Subrule_Suspicious_Connection_System_Process: An auxiliary rule for detecting network connections established by a process with system privileges after it was accessed, a thread was established in the process address space, a suspicious DLL library was loaded, or a child process was started

Detection

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port.

ID	Data source and component	Description
DS0029	Network Traffic: Network Traffic Content	Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.
DS0029	Network Traffic: Network Traffic Flow	Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port.

Mitigation

ID	M1030	Name	Network Segmentation	Description	Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment.

ID	M1031	Name	Network Intrusion Prevention	Description	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

ID	Name	Description
M1030	Network Segmentation	Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment.
M1031	Network Intrusion Prevention	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.