This site has been deprecated in favor of and will remain in place until 11/1/22.

Commonly Used Port

From attackics
(Redirected from Commonly Used Port)
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

Commonly Used Port
ID T0885
Tactic Command and Control
Data Sources Network Traffic: Network Traffic Flow
External Contributors Matan Dobrushin - Otorio
Asset Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED, Human-Machine Interface, Control Server, Engineering Workstation


Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below.

  • TCP:80 (HTTP)
  • TCP:443 (HTTPS)
  • TCP/UDP:53 (DNS)
  • TCP:1024-4999 (OPC on XP/Win2k3)
  • TCP:49152-65535 (OPC on Vista and later)
  • TCP:23 (TELNET)
  • UDP:161 (SNMP)
  • TCP:502 (MODBUS)
  • TCP:102 (S7comm/ISO-TSAP)
  • TCP:20000 (DNP3)
  • TCP:44818 (Ethernet/IP)

Procedure Examples

  • Dragonfly 2.0 communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138.1
  • Stuxnet attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised.2
  • Triton uses TriStation’s default UDP port, 1502, to communicate with devices.3


  • Network Intrusion Prevention - Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.4
  • Network Segmentation - Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.