T1436 Commonly Used Port
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.
They may use commonly open ports such as
- TCP:80 (HTTP)
- TCP:443 (HTTPS)
- TCP:25 (SMTP)
- TCP/UDP:53 (DNS)
They may use the protocol associated with the port or a completely different protocol.
| Item | Value |
|---|---|
| ID | T1436 |
| Sub-techniques | |
| Tactics | TA0037, TA0036 |
| Platforms | Android, iOS |
| Version | 1.0 |
| Created | 25 October 2017 |
| Last Modified | 19 June 2019 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0182 | FinFisher | FinFisher exfiltrates data over commonly used ports, such as ports 21, 53, and 443.1 |
| S0485 | Mandrake | Mandrake has communicated with the C2 server over TCP port 443.2 |
References
-
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. ↩
-
R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. ↩