Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-03 | Network Security | mitigates | T1571 | Non-Standard Port |
Comments
This control provides for monitoring, encrypting, and restricting communications between environments. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected patterns or protocols can be used to mitigate activity at the network level.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1571 | Non-Standard Port |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication.
References
|
| I&S-09 | Network Defense | mitigates | T1571 | Non-Standard Port |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment can prevent the use of a protocol and port pairing that are typically not associated for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected patterns or protocols can be used to mitigate activity at the network level.
References
|