- Tactics
- Command and Control
- Platforms
- ESXi, Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1571
Description
Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Command and Control tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1001 - Data Obfuscation
- T1008 - Fallback Channels
- T1071 - Application Layer Protocol
- T1090 - Proxy
- T1092 - Communication Through Removable Media
- T1095 - Non-Application Layer Protocol
- T1102 - Web Service
- T1104 - Multi-Stage Channels
- T1105 - Ingress Tool Transfer
- T1132 - Data Encoding
- T1205 - Traffic Signaling
- T1219 - Remote Access Tools