1. Home
  2. Techniques
  3. Mobile
  4. Commonly Used Port

Commonly Used Port

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.

They may use commonly open ports such as

  • TCP:80 (HTTP)
  • TCP:443 (HTTPS)
  • TCP:25 (SMTP)
  • TCP/UDP:53 (DNS)

They may use the protocol associated with the port or a completely different protocol.

ID: T1436
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.0
Created: 25 October 2017
Last Modified: 19 June 2019
Provided by LAYER 8

Procedure Examples

ID Name Description
S0182 FinFisher

FinFisher exfiltrates data over commonly used ports, such as ports 21, 53, and 443.[1]
S0485 Mandrake

Mandrake has communicated with the C2 server over TCP port 443.[2]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References

  1. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  1. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.