Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1571 | Non-Standard Port | |
| CA-7 | Continuous Monitoring | Protects | T1571 | Non-Standard Port | |
| CM-2 | Baseline Configuration | Protects | T1571 | Non-Standard Port | |
| CM-6 | Configuration Settings | Protects | T1571 | Non-Standard Port | |
| CM-7 | Least Functionality | Protects | T1571 | Non-Standard Port | |
| SC-7 | Boundary Protection | Protects | T1571 | Non-Standard Port | |
| SI-3 | Malicious Code Protection | Protects | T1571 | Non-Standard Port | |
| SI-4 | System Monitoring | Protects | T1571 | Non-Standard Port |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.vector.Other network service | Network service that is not remote access or a web application. | related-to | T1571 | Non-Standard Port | |
| action.malware.variety.Backdoor or C2 | Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. | related-to | T1571 | Non-Standard Port | |
| action.malware.variety.C2 | Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. | related-to | T1571 | Non-Standard Port |