Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Uncommonly Used Port
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Uncommonly Used Port
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Uncommonly Used Port

Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.

ID: T1065
Tactic(s): Command and Control
Platforms: Linux, Windows, macOS
Version: 1.1
Created: 31 May 2017
Last Modified: 25 Apr 2025

Procedure Examples
Name Description
TrickBot

TrickBot uses ports 447 and 8082 for C2 communications.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: Trend Micro Totbrick Oct 2016)
RedLeaves

RedLeaves can use port 995 for C2.(Citation: PWC Cloud Hopper Technical Annex April 2017)
GravityRAT

GravityRAT uses port 46769 for C2.(Citation: Talos GravityRAT)
Bankshot

Bankshot binds and listens on port 1058.(Citation: US-CERT Bankshot Dec 2017)
Emotet

Emotet has been observed communicating over non standard ports, including 7080 and 50000.(Citation: Kaspersky Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Sophos Emotet Apr 2019)(Citation: Talos Emotet Jan 2019)
HOPLIGHT

HOPLIGHT has used uncommon TCP "high port" to "high port" communication.(Citation: US-CERT HOPLIGHT Apr 2019)

MobileOrder

MobileOrder communicates with its C2 server over TCP port 3728.(Citation: Scarlet Mimic Jan 2016)
Volgmer

Some Volgmer variants use port 8088 for C2.(Citation: US-CERT Volgmer Nov 2017)(Citation: US-CERT Volgmer 2 Nov 2017)(Citation: Symantec Volgmer Aug 2014)
Remsec

A Remsec module has a default C2 port of 13000.(Citation: Kaspersky ProjectSauron Technical Analysis)
Agent Tesla

Agent Tesla has enabled TCP on port 587 for C2 communications.(Citation: Fortinet Agent Tesla April 2018)(Citation: Talos Agent Tesla Oct 2018)
TYPEFRAME

A TYPEFRAME variant can use port 127 for communications.(Citation: US-CERT TYPEFRAME June 2018)
Zebrocy

Zebrocy uses port 465 for C2.(Citation: ESET Zebrocy Nov 2018)
PoisonIvy

PoisonIvy opens a backdoor on TCP ports 6868 and 7777.(Citation: Symantec Darkmoon Aug 2005)
NanoCore

NanoCore communicates to its C2 over ports 6666 and 4782.(Citation: Unit 42 Gorgon Group Aug 2018)(Citation: PaloAlto NanoCore Feb 2016)
Revenge RAT

Revenge RAT has communicated over TCP port 3333.(Citation: Cylance Shaheen Nov 2018)
InnaputRAT

InnaputRAT uses port 52100 and 5876 for C2 communications.(Citation: ASERT InnaputRAT April 2018)
ZxShell

ZxShell uses ports 1985 and 1986 for communication.(Citation: Talos ZxShell Oct 2014)

CoinTicker

CoinTicker establishes outbound connections for command and control on ports 2280 and 1339.(Citation: CoinTicker 2019)
Cannon

Cannon uses port 587 for C2.(Citation: Unit42 Cannon Nov 2018)
njRAT

njRAT has been observed communicating over uncommon TCP ports, including 1177 and 8282.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)(Citation: Citizen Lab Group5)
POWERSTATS

POWERSTATS has used ports 8060 and 8888 for C2.(Citation: Unit 42 MuddyWater Nov 2017)
HiddenWasp

HiddenWasp uses port 61061 to communicate with the C2 server.(Citation: Intezer HiddenWasp Map 2019)
APT33

APT33 has used ports 808 and 880 for command and control.(Citation: Symantec Elfin Mar 2019)
Lazarus Group

Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)
APT32

APT32 backdoor can use HTTP over an uncommon TCP port (e.g 14146) which is specified in the backdoor configuration.(Citation: ESET OceanLotus Mar 2019)
Group5

Group5 C2 servers communicated with malware over TCP 8081, 8282, and 8083.(Citation: Citizen Lab Group5)
TEMP.Veles

TEMP.Veles has used ports 4444, 8531, and 50501 for C2.(Citation: FireEye TRITON 2019)
Magic Hound

Magic Hound malware has communicated with its C2 server over ports 4443 and 3543.(Citation: Unit 42 Magic Hound Feb 2017)
Gorgon Group

Gorgon Group has used a variant of ShiftyBug that communicates with its C2 server over port 6666.(Citation: Unit 42 Gorgon Group Aug 2018)
APT3

An APT3 downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81.(Citation: FireEye Operation Double Tap)

Mitigations
Mitigation Description
Uncommonly Used Port Mitigation

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Network Segmentation

Network segmentation involves dividing a network into smaller, isolated segments to control and limit the flow of traffic between devices, systems, and applications. By segmenting networks, organizations can reduce the attack surface, restrict lateral movement by adversaries, and protect critical assets from compromise. Effective network segmentation leverages a combination of physical boundaries, logical separation through VLANs, and access control policies enforced by network appliances like firewalls, routers, and cloud-based configurations. This mitigation can be implemented through the following measures: Segment Critical Systems: - Identify and group systems based on their function, sensitivity, and risk. Examples include payment systems, HR databases, production systems, and internet-facing servers. - Use VLANs, firewalls, or routers to enforce logical separation. Implement DMZ for Public-Facing Services: - Host web servers, DNS servers, and email servers in a DMZ to limit their access to internal systems. - Apply strict firewall rules to filter traffic between the DMZ and internal networks. Use Cloud-Based Segmentation: - In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules. - Apply AWS Transit Gateway or Azure VNet peering for controlled connectivity between cloud segments. Apply Microsegmentation for Workloads: - Use software-defined networking (SDN) tools to implement workload-level segmentation and prevent lateral movement. Restrict Traffic with ACLs and Firewalls: - Apply Access Control Lists (ACLs) to network devices to enforce "deny by default" policies. - Use firewalls to restrict both north-south (external-internal) and east-west (internal-internal) traffic. Monitor and Audit Segmented Networks: - Regularly review firewall rules, ACLs, and segmentation policies. - Monitor network flows for anomalies to ensure segmentation is effective. Test Segmentation Effectiveness: - Perform periodic penetration tests to verify that unauthorized access is blocked between network segments.
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

References

  1. Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.
  2. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  3. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  4. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  5. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  6. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  7. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  8. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  9. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  10. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  11. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  12. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  13. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  14. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  15. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  16. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  17. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  18. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  19. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  20. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  21. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  22. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  23. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  24. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  25. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  26. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  27. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  28. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  29. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  30. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  31. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  32. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  33. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  34. Brandt, A.. (2019, May 5). Emotet 101, stage 4: command and control. Retrieved April 16, 2019.
  35. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  36. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  37. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  38. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  39. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  40. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  41. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.