T1571Techniquecommand-and-controlagent-callable

T1571Non-Standard Port

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)

ATT&CK tactics· 1

Command And Control

References

  1. https://attack.mitre.org/techniques/T1571
  2. https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
  3. https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
  4. https://twitter.com/TheDFIRReport/status/1498657772254240768
  5. https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.