Commonly Used Port

From attackics
Jump to navigation Jump to search
Commonly Used Port
ID T885
Tactic Command and Control
External Contributors Matan Dobrushin - Otorio
Asset Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED, Human-Machine Interface, Control Server, Engineering Workstation


Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below.

  • TCP:80 (HTTP)
  • TCP:443 (HTTPS)
  • TCP/UDP:53 (DNS)
  • TCP:1024-4999 (OPC on XP/Win2k3)
  • TCP:49152-65535 (OPC on Vista and later)
  • TCP:23 (TELNET)
  • UDP:161 (SNMP)
  • TCP:502 (MODBUS)
  • TCP:102 (S7comm/ISO-TSAP)
  • TCP:20000 (DNP3)
  • TCP:44818 (Ethernet/IP)

Procedure Examples

  • Dragonfly communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138.1
  • Stuxnet attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised.2
  • Triton framework can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments.3


  • Access to device configuration settings should be restricted. Be wary of improper modifications before, during, and after system implementation.4
  • Settings should be in the most restrictive mode, consistent with ICS operational requirements 4, including the limitation of open ports to those that are necessary.
  • Leverage access control capabilities, such as whitelists, to limit communications to and from permitted, known entities.4
  • Assess and secure new device acquisitions as they enter the environment to detect and prevent the introduction of tampered with components.4
  • VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.4
  • Intrusion detection can be put in place to monitor traffic and logs. Unexpected or a high amount of traffic involving even commonly used ports can be suspicious when it deviates from the often consistent state of the ICS environment.4