T1571: Non-Standard Port
Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
network_devices_abnormal_activity: PT-CR-476: UDP_fragments: Suspicious UDP traffic is detected
mitre_attck_command_and_control: PT-CR-467: Suspicious_Connection: A network request made by executable files is detected
mitre_attck_command_and_control: PT-CR-611: Suspicious_Connection_after_Imageload: A process opened a network connection after loading a library
mitre_attck_command_and_control: PT-CR-612: Suspicious_Connection_System_Process: A process accessed a network address
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. |
---|
Mitigation
ID | M1030 | Name | Network Segmentation | Description | Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment. |
---|
ID | M1031 | Name | Network Intrusion Prevention | Description | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
---|