1. Home
  2. Techniques
  3. Enterprise
  4. 非标准端口

非标准端口

非标准端口技术指攻击者故意使用非约定俗成的网络端口进行通信,通过打破协议与端口的传统映射关系规避检测。传统防御主要依赖端口黑名单过滤和协议合规性检查,通过分析端口使用规范性(如80端口是否承载HTTP流量)及流量特征匹配(如SSH握手模式)识别异常。缓解措施包括深度包检测、协议指纹识别以及异常端口流量基线监控等技术。

为突破传统检测机制,攻击者发展出多维度的端口匿迹技术,通过协议-端口解耦、动态通道切换、服务深度伪装等手法,构建具备形式合规性和行为隐蔽性的新型通信矩阵。这些技术将恶意活动隐藏在端口使用的"灰色地带",利用防御方在协议解析深度与监控覆盖广度之间的平衡难点实现突破。

现有非标准端口匿迹技术的核心逻辑聚焦于协议栈特征与网络行为的双重混淆。攻击者通过协议端口复用打破检测预期,利用合法协议的白名单特性绕过初步过滤;动态端口跳跃技术通过时空维度分散通信特征,破坏基于会话持续性的检测模型;协议模拟伪装在应用层实现深度合规性,对抗协议指纹识别系统。技术的关键在于创造性地解构"协议-端口-行为"的固有关联,通过多层次的特征合法化改造,使得恶意流量同时满足形式合规与意图隐藏的双重要求,显著提高传统基于规则匹配的防御体系漏检概率。

匿迹技术的演进导致单纯依赖端口特征或协议合规的防御策略面临失效风险,防御方需构建协议行为动态建模、跨端口流量关联分析等能力,结合终端端口使用监控与网络元数据学习,实现对非标准端口滥用行为的深度感知。同时应建立协议-端口映射基线,对非常规端口承载的协议服务实施增强型深度检测。

ID: T1571
Sub-techniques:  No sub-techniques
Tactic: 命令控制
Platforms: Linux, Windows, macOS
Version: 1.1
Created: 14 March 2020
Last Modified: 12 September 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过协议栈重构和交互逻辑模拟,使非标准端口流量呈现合法协议特征。例如在8080端口精确模拟HTTP协议交互流程,或在53端口构建符合DNS协议规范的C2信道。这种深度协议伪装使得流量在语法和语义层面均通过合规性检查,有效规避基于协议指纹的检测系统。

数据遮蔽

动态端口跳跃中,攻击者结合TLS加密传输恶意载荷,利用加密通道隐藏非标准端口的实际通信内容。例如通过HTTPS over 8443端口传输加密C2指令,使得防御方无法通过内容解密验证端口使用的合法性,形成加密层与端口层的双重隐匿保护。

时空释痕

动态端口切换机制将单次攻击会话拆分为多个离散的端口通信事件,通过时间维度分散特征浓度。例如每小时自动切换C2连接端口,使得每个端口的通信频次低于检测阈值,同时破坏防御方进行跨端口行为关联分析的能力,显著延长攻击链的潜伏周期。

Procedure Examples

ID Name Description
G0099 APT-C-36

APT-C-36 has used port 4050 for C2 communications.[1]
G0050 APT32

An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.[2]
G0064 APT33

APT33 has used HTTP over TCP ports 808 and 880 for command and control.[3]
S0245 BADCALL

BADCALL communicates on ports 443 and 8000 with a FakeTLS method.[4]
S0239 Bankshot

Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.[5]
S0574 BendyBear

BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.[6]
C0018 C0018

During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.[7]
C0032 C0032

During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.[8]
S1155 Covenant

Covenant listeners and controllers can be configured to use non-standard ports.[9]
S0687 Cyclops Blink

Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic.[10]
G0105 DarkVishnya

DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.[11]
S0021 Derusbi

Derusbi has used unencrypted HTTP on port 443 for C2.[12]
G1003 Ember Bear

Ember Bear has used various non-standard ports for C2 communication.[13]
S0367 Emotet

Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.[14][15]
G0046 FIN7

FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.[16]
S0493 GoldenSpy

GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.[17]
S0237 GravityRAT

GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.[18]
S0246 HARDRAIN

HARDRAIN binds and listens on port 443 with a FakeTLS method.[19]
S0376 HOPLIGHT

HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.[20]
C0035 KV Botnet Activity

KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.[21]
G0032 Lazarus Group

Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.[22][23]
S1016 MacMa

MacMa has used TCP port 5633 for C2 Communication.[24]
G0059 Magic Hound

Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.[25][26]
S0455 Metamorfo

Metamorfo has communicated with hosts over raw TCP on port 9999.[27]

S0149 MoonWind

MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.[28]
S0385 njRAT

njRAT has used port 1177 for HTTP C2 communications.[29]
C0014 Operation Wocao

During Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000.[30]
S0352 OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has used a custom binary protocol over TCP port 443 for C2.[31]
S1145 Pikabot

Pikabot uses non-standard ports, such as 2967, 2223, and others, for HTTPS command and control communication.[32]
S1031 PingPull

PingPull can use HTTPS over port 8080 for C2.[33]
S0428 PoetRAT

PoetRAT used TLS to encrypt communications over port 143[34]
S0262 QuasarRAT

QuasarRAT can use port 4782 on the compromised host for TCP callbacks.[35]
S1130 Raspberry Robin

Raspberry Robin will communicate via HTTP over port 8080 for command and control traffic.[36]
S0153 RedLeaves

RedLeaves can use HTTP over non-standard ports, such as 995, for C2.[37]
G0106 Rocke

Rocke's miner connects to a C2 server using port 51640.[38]

S1078 RotaJakiro

RotaJakiro uses a custom binary protocol over TCP port 443.[39]
S0148 RTM

RTM used Port 44443 for its VNC module.[40]
G0034 Sandworm Team

Sandworm Team has used port 6789 to accept connections on the group's SSH server.[41]
S1085 Sardonic

Sardonic has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443.[42]
G0091 Silence

Silence has used port 444 when sending data about the system from the client to the server.[43]

S0491 StrongPity

StrongPity has used HTTPS over port 1402 in C2 communication.[44]
S1049 SUGARUSH

SUGARUSH has used port 4585 for a TCP connection to its C2.[45]
S0266 TrickBot

Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.[46][47][48] Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. [49]
S0263 TYPEFRAME

TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.[50]
S0515 WellMail

WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.[51][52]
G0090 WIRTE

WIRTE has used HTTPS over ports 2083 and 2087 for C2.[53]
S0412 ZxShell

ZxShell can use ports 1985 and 1986 in HTTP/S communication.[54]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
M1030 Network Segmentation

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.
Network Traffic Flow

Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port.

References

  1. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  2. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  3. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  4. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  5. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  6. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  7. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
  8. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  9. cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
  10. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  11. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
  12. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  13. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  14. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  15. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  16. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  17. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  18. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  19. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  20. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  21. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  22. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  23. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  24. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  25. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  26. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  27. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  1. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  2. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  4. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
  5. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  6. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  7. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  8. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  9. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
  10. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  11. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  12. Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.
  13. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  14. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
  15. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  16. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  17. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  18. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  19. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  20. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  21. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  22. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  23. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  24. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  25. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  26. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  27. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.