Home
ATT&CK Techniques
T1571 Non-Standard Port

T1571 Non-Standard Port

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
DE.AE-02.01	Event analysis and detection	Mitigates	T1571	Non-Standard Port	Comments This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts. References
DE.CM-01.03	Unauthorized network connections and data transfers	Mitigates	T1571	Non-Standard Port	Comments This diagnostic statement provides protection from Non-Standard Port by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. References
PR.IR-01.01	Network segmentation	Mitigates	T1571	Non-Standard Port	Comments This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and proper systems can mitigate use of this technique. References
PR.IR-04.01	Utilization monitoring	Mitigates	T1571	Non-Standard Port	Comments This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques. References
PR.IR-01.03	Network communications integrity and availability	Mitigates	T1571	Non-Standard Port	Comments This diagnostic statement protects against Non-Standard Port through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. References
PR.IR-01.04	Wireless network protection	Mitigates	T1571	Non-Standard Port	Comments This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1571	Non-Standard Port
CM-06	Configuration Settings	mitigates	T1571	Non-Standard Port
SI-03	Malicious Code Protection	mitigates	T1571	Non-Standard Port
CM-02	Baseline Configuration	mitigates	T1571	Non-Standard Port
CM-07	Least Functionality	mitigates	T1571	Non-Standard Port
SI-04	System Monitoring	mitigates	T1571	Non-Standard Port
AC-04	Information Flow Enforcement	mitigates	T1571	Non-Standard Port
SC-07	Boundary Protection	mitigates	T1571	Non-Standard Port

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.hacking.vector.Other network service	Network service that is not remote access or a web application.	related-to	T1571	Non-Standard Port
action.malware.variety.Backdoor or C2	Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.	related-to	T1571	Non-Standard Port
action.malware.variety.C2	Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.	related-to	T1571	Non-Standard Port

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
azure_firewall	Azure Firewall	technique_scores	T1571	Non-Standard Port	Comments This control can limit access to the minimum required ports and therefore protect against adversaries attempting to use non-standard ports for C2 traffic. References https://learn.microsoft.com/en-us/azure/firewall/overview
azure_network_security_groups	Azure Network Security Groups	technique_scores	T1571	Non-Standard Port	Comments This control can restrict traffic to standard ports and protocols. References https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_watcher_traffic_analytics	Azure Network Watcher: Traffic Analytics	technique_scores	T1571	Non-Standard Port	Comments This control can identify anomalous traffic that utilizes non-standard application ports. References https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
cloud_ngfw	Cloud Next-Generation Firewall (NGFW)_	technique_scores	T1571	Non-Standard Port	Comments Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict which protocols and port numbers are allowed through the firewall and prevent adversaries from using non-standard ports. As a result, this mapping is given a score of Significant. References ['https://cloud.google.com/firewalls']

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
amazon_guardduty	Amazon GuardDuty	technique_scores	T1571	Non-Standard Port	Comments GuardDuty has the following finding type to flag events where adversaries may communicate using a protocol and port paring that are typically not associated. Behavior:EC2/NetworkPortUnusual References https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
amazon_virtual_private_cloud	Amazon Virtual Private Cloud	technique_scores	T1571	Non-Standard Port	Comments VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore, protect against adversaries attempting to use non-standard ports for C2 traffic. References https://docs.aws.amazon.com/vpc/latest/userguide/security.html
aws_network_firewall	AWS Network Firewall	technique_scores	T1571	Non-Standard Port	Comments AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict which protocols and port numbers are allowed through the firewall and prevent adversaries from using non-standard ports. As a result, this mapping is given a score of Significant. References https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html