Try it using Invoke-Atomic

Non-Standard Port

Description from ATT&CK

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)

Atomic Tests

Atomic Test #1 - Testing usage of uncommonly used port with PowerShell

Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful port check will be displayed.

Supported Platforms: windows

auto_generated_guid: 21fe622f-8e53-4b31-ba83-6d333c2583f4

Inputs:

Name Description Type Default Value
port Specify uncommon port number string 8081
domain Specify target hostname string google.com

Attack Commands: Run with powershell!

1
2
Test-NetConnection -ComputerName #{domain} -port #{port}

Atomic Test #2 - Testing usage of uncommonly used port

Testing uncommonly used port utilizing telnet.

Supported Platforms: freebsd,linux,macos

auto_generated_guid: 5db21e1d-dd9c-4a50-b885-b1e748912767

Inputs:

Name Description Type Default Value
port Specify uncommon port number string 8081
domain Specify target hostname string google.com

Attack Commands: Run with sh!

1
2
3
echo quit | telnet #{domain} #{port}
exit 0

Dependencies: Run with sh!

Description: Requires telnet

Check Prereq Commands:

1
2
which telnet

Get Prereq Commands:

1
2
echo "please install telnet to run this test"; exit 1

source