Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful port check will be displayed.
Supported Platforms: Windows
auto_generated_guid: 21fe622f-8e53-4b31-ba83-6d333c2583f4
| Name | Description | Type | Default Value | |——|————-|——|—————| | port | Specify uncommon port number | string | 8081| | domain | Specify target hostname | string | google.com|
1
powershell
!1
Test-NetConnection -ComputerName #{domain} -port #{port}
Testing uncommonly used port utilizing telnet.
Supported Platforms: Linux, macOS
auto_generated_guid: 5db21e1d-dd9c-4a50-b885-b1e748912767
| Name | Description | Type | Default Value | |——|————-|——|—————| | port | Specify uncommon port number | string | 8081| | domain | Specify target hostname | string | google.com|
1
sh
!1
2
echo quit | telnet #{domain} #{port}
exit 0
1
sh
!1
which telnet
1
echo "please install telnet to run this test"; exit 1