T1571 - Non-Standard Port#
Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
Atomic Tests#
Atomic Test #1 - Testing usage of uncommonly used port with PowerShellTesting uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful#
port check will be displayed.
Supported Platforms: windows#### Attack Commands: Run with powershell
Test-NetConnection -ComputerName google.com -port 8081
Invoke-AtomicTest T1571 -TestNumbers 1
Atomic Test #2 - Testing usage of uncommonly used port#
Testing uncommonly used port utilizing telnet.
Supported Platforms: linux, macos
Dependencies: Run with sh!#
Description: Requires telnet#
Check Prereq Commands:#
which telnet
Get Prereq Commands:#
echo "please install telnet to run this test"; exit 1
Invoke-AtomicTest T1571 -TestNumbers 2 -GetPreReqs
Attack Commands: Run with sh#
echo quit | telnet google.com 8081
exit 0
Invoke-AtomicTest T1571 -TestNumbers 2
Detection#
Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2)
Shield Active Defense#
Network Monitoring#
Monitor network traffic in order to detect adversary activity.
Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis.
Opportunity#
There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary.
Use Case#
The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
Procedures#
Capture network logs for internet-facing devices and send those logs to a central collection location. Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location.