Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Some TrickBot samples have used HTTP over ports 447 and 8082 for C2. Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. 
|M1031||Network Intrusion Prevention||
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment.
|ID||Data Source||Data Component|
|DS0029||Network Traffic||Network Connection Creation|
|Network Traffic Content|
|Network Traffic Flow|
Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.