Description
Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
Platforms
Mitigations (2)
Network SegmentationM1030
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment.
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Threat Groups (17)
| ID | Group | Context |
|---|---|---|
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used HTTPS over ports 2083 and 2087 for C2.(Citation: Kaspersky WIRTE November 2021) |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has used port 444 when sending data about the system from the client to the server.(Citation: Group I... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has used TCP port 1224 for C2.(Citation: Socket Contagious Interview NPM April 2025) |
| G1042 | RedEcho | [RedEcho](https://attack.mitre.org/groups/G1042) has used non-standard ports such as TCP 8080 for HTTP communication.(Citation: RecordedFuture RedEcho... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used ports 8043 and 8848 for botnet C2 communication.(Citation: FalconFeeds_MuddyWaterPSRust_M... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has used various non-standard ports for C2 communication.(Citation: CISA GRU29155 2024) |
| G0050 | APT32 | An [APT32](https://attack.mitre.org/groups/G0050) backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor co... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) has used random high number ports for [PlugX](https://attack.mitre.org/software/S0013) listeners o... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used port 6789 to accept connections on the group's SSH server.(Citation: ESET BlackEnergy ... |
| G0032 | Lazarus Group | Some [Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.(Citation: FireEye FI... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.(Citation: U... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used port 6856 for C2 communications.(Citation: VenereCiscoTalos_Gamaredon_Mar2025) |
| G0105 | DarkVishnya | [DarkVishnya](https://attack.mitre.org/groups/G0105) used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.(Citatio... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has used port 4050 for C2 communications.(Citation: QiAnXin APT-C-36 Feb2019) |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used HTTP over TCP ports 808 and 880 for command and control.(Citation: Symantec Elfin Mar 2019) |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106)'s miner connects to a C2 server using port 51640.(Citation: Anomali Rocke March 2019) |
Associated Software (41)
| ID | Name | Type | Context |
|---|---|---|---|
| S1211 | Hannotog | Malware | [Hannotog](https://attack.mitre.org/software/S1211) uses non-standard listening ports, such as UDP 5900, for command and control purposes.(Citation: S... |
| S1031 | PingPull | Malware | [PingPull](https://attack.mitre.org/software/S1031) can use HTTPS over port 8080 for C2.(Citation: Unit 42 PingPull Jun 2022) |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly a... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has distributed C2 using BitTorrent’s Distributed Hash Table (DHT) network to harness a decentral... |
| S0491 | StrongPity | Malware | [StrongPity](https://attack.mitre.org/software/S0491) has used HTTPS over port 1402 in C2 communication.(Citation: Bitdefender StrongPity June 2020) |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) used TLS to encrypt communications over port 143(Citation: Talos PoetRAT April 2020) |
| S0493 | GoldenSpy | Malware | [GoldenSpy](https://attack.mitre.org/software/S0493) has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebS... |
| S1155 | Covenant | Tool | [Covenant](https://attack.mitre.org/software/S1155) listeners and controllers can be configured to use non-standard ports.(Citation: Github Covenant) |
| S1049 | SUGARUSH | Malware | [SUGARUSH](https://attack.mitre.org/software/S1049) has used port 4585 for a TCP connection to its C2.(Citation: Mandiant UNC3890 Aug 2022) |
| S9023 | HiddenFace | Malware | [HiddenFace](https://attack.mitre.org/software/S9023)'s passive mode listens on TCP 47000.(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCER... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) will communicate via HTTP over port 8080 for command and control traffic.(Citation: RedCana... |
| S0515 | WellMail | Malware | [WellMail](https://attack.mitre.org/software/S0515) has been observed using TCP port 25, without using SMTP, to leverage an open port for secure comma... |
| S0376 | HOPLIGHT | Malware | [HOPLIGHT](https://attack.mitre.org/software/S0376) has connected outbound over TCP port 443 with a FakeTLS method.(Citation: US-CERT HOPLIGHT Apr 201... |
| S0412 | ZxShell | Malware | [ZxShell](https://attack.mitre.org/software/S0412) can use ports 1985 and 1986 in HTTP/S communication.(Citation: Talos ZxShell Oct 2014) |
| S0149 | MoonWind | Malware | [MoonWind](https://attack.mitre.org/software/S0149) communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually ass... |
| S0246 | HARDRAIN | Malware | [HARDRAIN](https://attack.mitre.org/software/S0246) binds and listens on port 443 with a FakeTLS method.(Citation: US-CERT HARDRAIN March 2018) |
| S1145 | Pikabot | Malware | [Pikabot](https://attack.mitre.org/software/S1145) uses non-standard ports, such as 2967, 2223, and others, for HTTPS command and control communicatio... |
| S0352 | OSX_OCEANLOTUS.D | Malware | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has used a custom binary protocol over TCP port 443 for C2.(Citation: Unit42 OceanLotus 20... |
| S9001 | SystemBC | Malware | The server component of [SystemBC](https://attack.mitre.org/software/S9001) has used various TCP ports for C2 communication.(Citation: TrumanKroll_SYS... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has communicated with hosts over raw TCP on port 9999.(Citation: FireEye Metamorfo Apr 2018) |
References
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks. Retrieved September 12, 2024.
- Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
Frequently Asked Questions
What is T1571 (Non-Standard Port)?
T1571 is a MITRE ATT&CK technique named 'Non-Standard Port'. It belongs to the Command and Control tactic(s). Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Age...
How can T1571 be detected?
Detection of T1571 (Non-Standard Port) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1571?
There are 2 documented mitigations for T1571. Key mitigations include: Network Segmentation, Network Intrusion Prevention.
Which threat groups use T1571?
Known threat groups using T1571 include: WIRTE, Silence, Contagious Interview, RedEcho, MuddyWater, Ember Bear, APT32, Velvet Ant.