T1571 Non-Standard Port Mappings

Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-4 Information Flow Enforcement Protects T1571 Non-Standard Port
CA-7 Continuous Monitoring Protects T1571 Non-Standard Port
CM-2 Baseline Configuration Protects T1571 Non-Standard Port
CM-6 Configuration Settings Protects T1571 Non-Standard Port
CM-7 Least Functionality Protects T1571 Non-Standard Port
SC-7 Boundary Protection Protects T1571 Non-Standard Port
SI-3 Malicious Code Protection Protects T1571 Non-Standard Port
SI-4 System Monitoring Protects T1571 Non-Standard Port
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1571 Non-Standard Port
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1571 Non-Standard Port
action.malware.variety.C2 Command and control (C2) related-to T1571 Non-Standard Port
amazon_guardduty Amazon GuardDuty technique_scores T1571 Non-Standard Port
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1571 Non-Standard Port
aws_network_firewall AWS Network Firewall technique_scores T1571 Non-Standard Port