Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1571 | Non-Standard Port | |
| CA-7 | Continuous Monitoring | Protects | T1571 | Non-Standard Port | |
| CM-2 | Baseline Configuration | Protects | T1571 | Non-Standard Port | |
| CM-6 | Configuration Settings | Protects | T1571 | Non-Standard Port | |
| CM-7 | Least Functionality | Protects | T1571 | Non-Standard Port | |
| SC-7 | Boundary Protection | Protects | T1571 | Non-Standard Port | |
| SI-3 | Malicious Code Protection | Protects | T1571 | Non-Standard Port | |
| SI-4 | System Monitoring | Protects | T1571 | Non-Standard Port | |
| action.hacking.variety.Use of backdoor or C2 | Use of Backdoor or C2 channel | related-to | T1571 | Non-Standard Port | |
| action.hacking.vector.Backdoor or C2 | Backdoor or command and control channel | related-to | T1571 | Non-Standard Port | |
| action.malware.variety.C2 | Command and control (C2) | related-to | T1571 | Non-Standard Port | |
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1571 | Non-Standard Port |
Comments
GuardDuty has the following finding type to flag events where adversaries may communicate using a protocol and port paring that are typically not associated.
Behavior:EC2/NetworkPortUnusual
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1571 | Non-Standard Port |
Comments
VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore, protect against adversaries attempting to use non-standard ports for C2 traffic.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1571 | Non-Standard Port |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict which protocols and port numbers are allowed through the firewall and prevent adversaries from using non-standard ports. As a result, this mapping is given a score of Significant.
References
|