Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Non-Standard Port

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)

ID: T1571
Tactic(s): Command and Control
Platforms: Linux, macOS, Windows
Data Sources: Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Version: 1.1
Created: 14 Mar 2020
Last Modified: 12 Sep 2024

Procedure Examples

Name Description
WIRTE

WIRTE has used HTTPS over ports 2083 and 2087 for C2.(Citation: Kaspersky WIRTE November 2021)

Silence

Silence has used port 444 when sending data about the system from the client to the server.(Citation: Group IB Silence Sept 2018)

PingPull

PingPull can use HTTPS over port 8080 for C2.(Citation: Unit 42 PingPull Jun 2022)

Emotet

Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.(Citation: Talos Emotet Jan 2019)(Citation: Binary Defense Emotes Wi-Fi Spreader)

StrongPity

StrongPity has used HTTPS over port 1402 in C2 communication.(Citation: Bitdefender StrongPity June 2020)

PoetRAT

PoetRAT used TLS to encrypt communications over port 143(Citation: Talos PoetRAT April 2020)

GoldenSpy

GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.(Citation: Trustwave GoldenSpy June 2020)

Covenant

Covenant listeners and controllers can be configured to use non-standard ports.(Citation: Github Covenant)

SUGARUSH

SUGARUSH has used port 4585 for a TCP connection to its C2.(Citation: Mandiant UNC3890 Aug 2022)

Raspberry Robin

Raspberry Robin will communicate via HTTP over port 8080 for command and control traffic.(Citation: RedCanary RaspberryRobin 2022)

During Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000.(Citation: FoxIT Wocao December 2019)

WellMail

WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)

HOPLIGHT

HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.(Citation: US-CERT HOPLIGHT Apr 2019)

ZxShell

ZxShell can use ports 1985 and 1986 in HTTP/S communication.(Citation: Talos ZxShell Oct 2014)

Ember Bear

Ember Bear has used various non-standard ports for C2 communication.(Citation: CISA GRU29155 2024)

MoonWind

MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.(Citation: Palo Alto MoonWind March 2017)

APT32

An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.(Citation: ESET OceanLotus Mar 2019)

During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.(Citation: Costa AvosLocker May 2022)

HARDRAIN

HARDRAIN binds and listens on port 443 with a FakeTLS method.(Citation: US-CERT HARDRAIN March 2018)

Pikabot

Pikabot uses non-standard ports, such as 2967, 2223, and others, for HTTPS command and control communication.(Citation: Elastic Pikabot 2024)

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has used a custom binary protocol over TCP port 443 for C2.(Citation: Unit42 OceanLotus 2017)

Metamorfo

Metamorfo has communicated with hosts over raw TCP on port 9999.(Citation: FireEye Metamorfo Apr 2018)

During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.(Citation: FireEye TRITON 2019)

BendyBear

BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.(Citation: Unit42 BendyBear Feb 2021)

Sandworm Team

Sandworm Team has used port 6789 to accept connections on the group's SSH server.(Citation: ESET BlackEnergy Jan 2016)

TEMP.Veles

TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.(Citation: FireEye TRITON 2019)

Lazarus Group

Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)

njRAT

njRAT has used port 1177 for HTTP C2 communications.(Citation: Trend Micro njRAT 2018)

FIN7

FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.(Citation: FireEye FIN7 Aug 2018)

Sardonic

Sardonic has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443.(Citation: Bitdefender Sardonic Aug 2021)

MacMa

MacMa has used TCP port 5633 for C2 Communication.(Citation: ESET DazzleSpy Jan 2022)

Derusbi

Derusbi has used unencrypted HTTP on port 443 for C2.(Citation: Fidelis Turbo)

RotaJakiro

RotaJakiro uses a custom binary protocol over TCP port 443.(Citation: netlab360 rotajakiro vs oceanlotus)

RTM

RTM used Port 44443 for its VNC module.(Citation: ESET RTM Feb 2017)

Magic Hound

Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus November 2021)

TrickBot

Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: Trend Micro Totbrick Oct 2016) Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. (Citation: Bitdefender Trickbot VNC module Whitepaper 2021)

QuasarRAT

QuasarRAT can use port 4782 on the compromised host for TCP callbacks.(Citation: CISA AR18-352A Quasar RAT December 2018)

BADCALL

BADCALL communicates on ports 443 and 8000 with a FakeTLS method.(Citation: US-CERT BADCALL)

DarkVishnya

DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.(Citation: Securelist DarkVishnya Dec 2018)

TYPEFRAME

TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.(Citation: US-CERT TYPEFRAME June 2018)

KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.(Citation: Lumen KVBotnet 2023)

APT-C-36

APT-C-36 has used port 4050 for C2 communications.(Citation: QiAnXin APT-C-36 Feb2019)

GravityRAT

GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.(Citation: Talos GravityRAT)

APT33

APT33 has used HTTP over TCP ports 808 and 880 for command and control.(Citation: Symantec Elfin Mar 2019)

Bankshot

Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.(Citation: US-CERT Bankshot Dec 2017)

RedLeaves

RedLeaves can use HTTP over non-standard ports, such as 995, for C2.(Citation: PWC Cloud Hopper Technical Annex April 2017)

Cyclops Blink

Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic.(Citation: NCSC Cyclops Blink February 2022)

Rocke

Rocke's miner connects to a C2 server using port 51640.(Citation: Anomali Rocke March 2019)

Mitigations

Mitigation Description
Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Detection

Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2)

References

  1. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  2. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  3. The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks. Retrieved September 12, 2024.
  4. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  5. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  6. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  7. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  8. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  9. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  10. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  11. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  12. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  13. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  14. cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
  15. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  16. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
  17. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  18. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  19. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  20. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  21. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  22. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  23. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  24. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  25. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
  26. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  27. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  28. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
  29. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  30. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  31. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
  32. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  33. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  34. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  35. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  36. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  37. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  38. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  39. Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.
  40. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  41. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  42. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  43. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  44. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  45. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  46. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  47. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  48. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  49. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
  50. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  51. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  52. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  53. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  54. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  55. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  56. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  57. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.