Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1571 | Non-Standard Port |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of Non-Standard Port exploitation. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain while minimizing the impact on system performance.
Non-Standard Port techniques involve adversaries using ports outside of the commonly recognized and secure range (e.g., ports 80 for HTTP, 443 for HTTPS) to communicate with compromised systems or exfiltrate data. These tactics help attackers avoid detection by security monitoring systems that primarily focus on well-known ports, making it harder for traditional security tools to identify malicious activities. By employing non-standard ports, attackers can bypass firewalls and network defenses, potentially facilitating covert communication or malicious data transfers.
Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow at the hardware level. This telemetry enables the detection of abnormal behaviors, such as suspicious outbound network traffic on non-standard ports or unauthorized applications attempting to communicate over unusual protocols. By closely monitoring low-level activities, Intel TDT helps security teams spot these covert methods of communication, preventing attackers from exploiting non-standard ports for command and control or data exfiltration.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2023-38035 | Ivanti Sentry Authentication Bypass Vulnerability | secondary_impact | T1571 | Non-Standard Port |
Comments
This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system.
This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.
References
|