Commonly Used Port
**This technique has been deprecated. Please use Non-Standard Port where appropriate.** Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as * TCP:80 (HTTP) * TCP:443 (HTTPS) * TCP:25 (SMTP) * TCP/UDP:53 (DNS) They may use the protocol associated with the port or a completely different protocol. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are * TCP/UDP:135 (RPC) * TCP/UDP:22 (SSH) * TCP/UDP:3389 (RDP)
Procedure Examples |
|
| Name | Description |
|---|---|
| TrickBot |
TrickBot uses port 443 for C2 communications.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Totbrick Oct 2016) |
| PowerDuke |
PowerDuke connects over 443 for C2.(Citation: Volexity PowerDuke November 2016) |
| Wiarp |
Wiarp connects to external C2 infrastructure over the HTTP port.(Citation: Symantec Wiarp May 2012) |
| Proxysvc |
Proxysvc uses port 443 for the control server communications.(Citation: McAfee GhostSecret) |
| Misdat |
Misdat network traffic communicates over common ports like 80, 443, or 1433.(Citation: Cylance Dust Storm) |
| Linux Rabbit |
Linux Rabbit checks to see if an SSH server is listening on port 22.(Citation: Anomali Linux Rabbit 2018) |
| KEYMARBLE |
KEYMARBLE uses port 443 for C2.(Citation: US-CERT KEYMARBLE Aug 2018) |
| HAWKBALL |
HAWKBALL has sent HTTP GET requests over port 443 for C2.(Citation: FireEye HAWKBALL Jun 2019) |
| Naid |
Naid connects to external C2 infrastructure over port 443.(Citation: Symantec Naid June 2012) |
| RedLeaves |
RedLeaves uses a specific port of 443 and can also use ports 53 and 80 for C2. One RedLeaves variant uses HTTP over port 443 to connect to its C2 server.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018) |
| AuditCred |
AuditCred has used Port Number 443 for C2 communications.(Citation: TrendMicro Lazarus Nov 2018) |
| OceanSalt |
OceanSalt uses Port Number 8080 for C2.(Citation: McAfee Oceansalt Oct 2018) |
| LOWBALL |
LOWBALL command and control occurs via HTTPS over port 443.(Citation: FireEye admin@338) |
| EvilGrab |
EvilGrab uses port 8080 for C2.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
| Emotet |
Emotet has used ports 20, 22, 80, 443, 8080, and 8443.(Citation: CIS Emotet Apr 2017)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Carbon Black Emotet Apr 2019) |
| Empire |
Empire can conduct command and control over commonly used ports like 80 and 443.(Citation: Github PowerShell Empire) |
| ELMER |
ELMER uses HTTP over port 443 for command and control.(Citation: FireEye EPS Awakens Part 2) |
| FlawedGrace |
FlawedGrace has used port 443 for C2 communications.(Citation: Proofpoint TA505 Jan 2019) |
| FlawedAmmyy |
FlawedAmmyy has used port 443 for C2.(Citation: Proofpoint TA505 Mar 2018) |
| HOPLIGHT |
HOPLIGHT has connected outbound over TCP port 443. (Citation: US-CERT HOPLIGHT Apr 2019) |
| InvisiMole |
InvisiMole uses port 80 for C2.(Citation: ESET InvisiMole June 2018) |
| Volgmer |
Some Volgmer variants use ports 8080 and 8000 for C2.(Citation: US-CERT Volgmer Nov 2017)(Citation: US-CERT Volgmer 2 Nov 2017)(Citation: Symantec Volgmer Aug 2014) |
| Fysbis |
Fysbis has used port 80 for C2.(Citation: Fysbis Palo Alto Analysis) |
| UBoatRAT |
UBoatRAT uses ports 80 and 443 for C2 communications.(Citation: PaloAlto UBoatRAT Nov 2017) |
| Hi-Zor |
Hi-Zor communicates with its C2 server over port 443.(Citation: Fidelis INOCNATION) |
| KeyBoy |
KeyBoy calls back to the C2 server over ports 53, 80, and 443.(Citation: PWC KeyBoys Feb 2017)(Citation: Rapid7 KeyBoy Jun 2013) |
| BBSRAT |
BBSRAT uses HTTP TCP port 80 and HTTPS TCP port 443 for communications.(Citation: Palo Alto Networks BBSRAT) |
| PlugX |
PlugX has beaconed to its C2 over port 443.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: CIRCL PlugX March 2013) |
| Bisonal |
Bisonal uses 443 for C2 communications.(Citation: Unit 42 Bisonal July 2018) |
| S-Type |
S-Type uses ports 80, 443, and 8080 for C2.(Citation: Cylance Dust Storm) |
| Duqu |
Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.(Citation: Symantec W32.Duqu) |
| Carbanak |
Carbanak uses Port Numbers 443 and 80 for the C2 server.(Citation: FireEye CARBANAK June 2017) |
| Briba |
Briba connects to external C2 infrastructure over port 443.(Citation: Symantec Briba May 2012) |
| TYPEFRAME |
TYPEFRAME variants can use ports 443, 8443, and 8080 for communications.(Citation: US-CERT TYPEFRAME June 2018) |
| Ixeshe |
Ixeshe has used TCP port 443 for C2.(Citation: Trend Micro IXESHE 2012) |
| Derusbi |
Derusbi beacons to destination port 443.(Citation: Fidelis Turbo) |
| BadPatch |
BadPatch uses port 26 for C2 communications.(Citation: Unit 42 BadPatch Oct 2017) |
| RATANKBA |
RATANKBA uses port 443 for C2.(Citation: RATANKBA) |
| BADCALL |
BADCALL uses port 8000 and 443 for C2.(Citation: US-CERT BADCALL) |
| Nidiran |
Nidiran communicates with its C2 domain over ports 443 and 8443.(Citation: Symantec Suckfly May 2016) |
| MoonWind |
MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.(Citation: Palo Alto MoonWind March 2017) |
| Cobalt Strike |
Cobalt Strike uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols.(Citation: cobaltstrike manual) |
| Cobalt Strike |
Cobalt Strike uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols.(Citation: cobaltstrike manual) |
| ServHelper |
ServHelper has used port 80 and 443 for C2.(Citation: Proofpoint TA505 Jan 2019) |
| RIPTIDE |
RIPTIDE is a RAT that communicates with HTTP.(Citation: Moran 2014) |
| Pasam |
Pasam connects to external C2 infrastructure and opens a backdoor over port 443 |