2020-06-18 01:57:35 +00:00
# T1571 - Non-Standard Port
2020-09-29 13:53:28 +00:00
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1571)
2025-02-13 22:03:40 +00:00
<blockquote>
2023-05-19 17:06:33 +00:00
2025-02-13 22:03:40 +00:00
Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
</blockquote>
2020-06-18 01:57:35 +00:00
## Atomic Tests
- [Atomic Test #1 - Testing usage of uncommonly used port with PowerShell ](#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell )
- [Atomic Test #2 - Testing usage of uncommonly used port ](#atomic-test-2---testing-usage-of-uncommonly-used-port )
<br/>
## Atomic Test #1 - Testing usage of uncommonly used port with PowerShell
2020-06-26 15:30:26 +00:00
Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful
2020-06-18 01:57:35 +00:00
port check will be displayed.
2021-06-24 17:04:33 +00:00
2020-06-18 01:57:35 +00:00
**Supported Platforms: ** Windows
2021-06-24 17:04:33 +00:00
**auto_generated_guid: ** 21fe622f-8e53-4b31-ba83-6d333c2583f4
2020-06-18 01:57:35 +00:00
#### Inputs:
2021-06-24 15:16:54 +00:00
| Name | Description | Type | Default Value |
2020-06-18 01:57:35 +00:00
|------|-------------|------|---------------|
2023-02-13 23:11:19 +00:00
| port | Specify uncommon port number | string | 8081|
| domain | Specify target hostname | string | google.com|
2020-06-18 01:57:35 +00:00
#### Attack Commands: Run with `powershell`!
``` powershell
Test-NetConnection -ComputerName #{domain} -port #{port}
```
<br/>
<br/>
## Atomic Test #2 - Testing usage of uncommonly used port
2021-06-24 15:16:54 +00:00
Testing uncommonly used port utilizing telnet.
2021-06-24 17:04:33 +00:00
2023-11-06 22:42:54 +00:00
**Supported Platforms: ** Linux, macOS
2020-06-18 01:57:35 +00:00
2021-06-24 17:04:33 +00:00
**auto_generated_guid: ** 5db21e1d-dd9c-4a50-b885-b1e748912767
2020-06-18 01:57:35 +00:00
#### Inputs:
2021-06-24 15:16:54 +00:00
| Name | Description | Type | Default Value |
2020-06-18 01:57:35 +00:00
|------|-------------|------|---------------|
2023-02-13 23:11:19 +00:00
| port | Specify uncommon port number | string | 8081|
| domain | Specify target hostname | string | google.com|
2020-06-18 01:57:35 +00:00
#### Attack Commands: Run with `sh`!
``` sh
2023-05-19 17:06:33 +00:00
echo quit | telnet #{domain} #{port}
exit 0
2020-06-18 01:57:35 +00:00
```
2023-05-19 17:06:33 +00:00
#### Dependencies: Run with `sh`!
##### Description: Requires telnet
##### Check Prereq Commands:
``` sh
which telnet
```
##### Get Prereq Commands:
``` sh
echo "please install telnet to run this test" ; exit 1
```
2020-06-18 01:57:35 +00:00
<br/>
