Skip to content

T1509 Non-Standard Port

Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

Item Value
ID T1509
Tactics TA0037
Platforms Android, iOS
Version 2.1
Created 01 August 2019
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0480 Cerberus Cerberus communicates with the C2 using HTTP requests over port 8888.3
S0405 Exodus Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.5
S0408 FlexiSpy FlexiSpy can communicate with the command and control server over ports 12512 and 12514.1
S0463 INSOMNIA INSOMNIA has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.4
S0485 Mandrake Mandrake has communicated with the C2 server over TCP port 7777.2
S0539 Red Alert 2.0 Red Alert 2.0 has communicated with the C2 using HTTP requests over port 7878.6


ID Data Source Data Component
DS0041 Application Vetting Network Communication
DS0029 Network Traffic Network Traffic Flow