security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1571/T1571.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

100 lines
2.5 KiB
Markdown
Raw Permalink Blame History

# T1571 - Non-Standard Port
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1571)
<blockquote>
Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Testing usage of uncommonly used port with PowerShell](#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell)
- [Atomic Test #2 - Testing usage of uncommonly used port](#atomic-test-2---testing-usage-of-uncommonly-used-port)
<br/>
## Atomic Test #1 - Testing usage of uncommonly used port with PowerShell
Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful
port check will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 21fe622f-8e53-4b31-ba83-6d333c2583f4
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| port | Specify uncommon port number | string | 8081|
| domain | Specify target hostname | string | google.com|
#### Attack Commands: Run with `powershell`!
```powershell
Test-NetConnection -ComputerName #{domain} -port #{port}
```
<br/>
<br/>
## Atomic Test #2 - Testing usage of uncommonly used port
Testing uncommonly used port utilizing telnet.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 5db21e1d-dd9c-4a50-b885-b1e748912767
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| port | Specify uncommon port number | string | 8081|
| domain | Specify target hostname | string | google.com|
#### Attack Commands: Run with `sh`!
```sh
echo quit | telnet #{domain} #{port}
exit 0
```
#### Dependencies: Run with `sh`!
##### Description: Requires telnet
##### Check Prereq Commands:
```sh
which telnet
```
##### Get Prereq Commands:
```sh
echo "please install telnet to run this test"; exit 1
```
<br/>
Reference in New Issue View Git Blame Copy Permalink