TECHNIQUES
- Home
- Techniques
- Mobile
- Uncommonly Used Port
Uncommonly Used Port
Adversaries may use non-standard ports to exfiltrate information.
ID: T1509
Sub-techniques:
No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic:
Command And Control
Platforms: Android, iOS
Version: 1.0
Created: 01 August 2019
Last Modified: 11 September 2019
Procedure Examples
Name | Description |
---|---|
Cerberus | |
Exodus |
Exodus Two attempts to connect to port 22011 to provide a remote reverse shell.[2] |
FlexiSpy |
FlexiSpy can communicate with the command and control server over ports 12512 and 12514.[1] |
INSOMNIA |
INSOMNIA has communicated with the C2 over TCP ports 43111, 43223, and 43773.[3] |
Mitigations
Mitigation | Description |
---|---|
Application Vetting |
Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. |
Detection
Detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.
References
- A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.
- A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.
×