Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful port check will be displayed.
Supported Platforms: Windows
auto_generated_guid: 21fe622f-8e53-4b31-ba83-6d333c2583f4
| Name | Description | Type | Default Value |
|---|---|---|---|
| port | Specify uncommon port number | string | 8081 |
| domain | Specify target hostname | string | google.com |
Test-NetConnection -ComputerName #{domain} -port #{port}Testing uncommonly used port utilizing telnet.
Supported Platforms: Linux, macOS
auto_generated_guid: 5db21e1d-dd9c-4a50-b885-b1e748912767
| Name | Description | Type | Default Value |
|---|---|---|---|
| port | Specify uncommon port number | string | 8081 |
| domain | Specify target hostname | string | google.com |
echo quit | telnet #{domain} #{port}
exit 0which telnetecho "please install telnet to run this test"; exit 1