EXPLORE
Sign In
← Back to Explore
T1571

Non-Standard Port

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry ke...

ESXiLinuxmacOSWindows
16
Detections
3
Sources
16
Threat Actors

BY SOURCE

7elastic5sigma4splunk_escu

PROCEDURES (12)

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

C23 detections

Auto-extracted: 3 detections for c2

Bypass1 detections

Auto-extracted: 1 detections for bypass

Dns1 detections

Auto-extracted: 1 detections for dns

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Dns1 detections

Auto-extracted: 1 detections for dns

Unusual1 detections

Auto-extracted: 1 detections for unusual

Http1 detections

Auto-extracted: 1 detections for http

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Bypass1 detections

Auto-extracted: 1 detections for bypass

THREAT ACTORS (16)

APT-C-36APT32APT33Contagious InterviewDarkVishnyaEmber BearFIN7Gamaredon GroupLazarus GroupMagic HoundRedEchoRockeSandworm TeamSilenceVelvet AntWIRTE

DETECTIONS (16)

Cisco NVM - Outbound Connection to Suspicious Port
splunk_escu
Cisco Secure Firewall - Communication Over Suspicious Ports
splunk_escu
Cisco Secure Firewall - File Download Over Uncommon Port
splunk_escu
Communication To Uncommon Destination Ports
sigmamedium
Ollama Abnormal Network Connectivity
splunk_escu
Potential Data Exfiltration Activity to an Unusual Destination Port
elasticlow
Potentially Suspicious Malware Callback Communication
sigmahigh
Potentially Suspicious Malware Callback Communication - Linux
sigmahigh
Script Interpreter Connection to Non-Standard Port
elasticmedium
SMTP on Port 26/TCP
elasticlow
Suricata and Elastic Defend Network Correlation
elasticmedium
Suspicious DNS Z Flag Bit Set
sigmamedium
Suspicious Outbound Network Connection via Unsigned Binary
elastichigh
Testing Usage of Uncommonly Used Port
sigmamedium
Uncommon Destination Port Connection by Web Server
elasticlow
Unusual Linux Network Port Activity
elasticlow