Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-04 | Information Flow Enforcement | Protects | T1571 | Non-Standard Port |
| CA-07 | Continuous Monitoring | Protects | T1571 | Non-Standard Port |
| CM-02 | Baseline Configuration | Protects | T1571 | Non-Standard Port |
| CM-06 | Configuration Settings | Protects | T1571 | Non-Standard Port |
| CM-07 | Least Functionality | Protects | T1571 | Non-Standard Port |
| SC-07 | Boundary Protection | Protects | T1571 | Non-Standard Port |
| SI-03 | Malicious Code Protection | Protects | T1571 | Non-Standard Port |
| SI-04 | System Monitoring | Protects | T1571 | Non-Standard Port |