ATT&CK Technique
Uncommonly Used Port
T1065 · command-and-control
▤ Generate a SIEM detection for T1065
◈ Deployable detections for T1065
⚠ CVEs mapped to T1065
♛ Hunt package for T1065
Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
LinuxmacOSWindows
▸
How to use this page - the detection-engineering loop
Attackers have goals (tactics - “get credentials”, “move laterally”) and techniques are the concrete methods they use to reach them. This page is one method - T1065 - broken into everything you need to catch it.
The loop this page is built for (this is the job):
- Understand the behaviour - read the description and the Atomic Tests to see exactly what the attacker does on a host or network.
- Find the telemetry - what data source would reveal it (process creation, registry, network flow, auth logs). Detection Coverage shows which surfaces already have a rule and which are blind.
- Get or write the detection - adapt ready logic (CAR Analytics, SIEM Detections, Falco, or Sigma via Generate a SIEM detection), or author your own.
- Test it - run an Atomic Test in a lab and confirm your rule actually fires. A detection you have not tested is a hope, not coverage.
- Deploy and tune - push it, then watch for false positives and adjust.
What each panel is for:
Atomic Testssafely reproduce the technique in a lab to validate that a detection fires.
Detection Coveragewhich detection surfaces have a rule for this technique; none is a blind spot to close, or simply not applicable (YARA matches files, not network behaviour).
CAR / SIEM / Falcoready-made detection logic (Splunk SPL, Elastic EQL, Sentinel KQL, Falco) you adapt to your own SIEM.
Mitigationsreduce exposure so the technique is harder to use at all - prevent, not just detect.
Actors / Attributionwho actually uses this, so you prioritise by your own threat model.
Attack Path / LOTLwhat attackers do before and after this step, and the legitimate tools they abuse to do it.
Where this fits: you usually arrive here from a CVE (“which techniques does it enable”) and leave with a tested detection deployed. The buttons above jump straight to building one, the deployable rules, the CVEs that use T1065, and a hunt package.
◈
Detection Coverage
0/9 layersCoverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma)
none
Analytics (MITRE CAR)
none
Runtime / container (Falco)
none
File / malware (YARA)
none
Network (Suricata/Snort)
none
Vuln scan (Nuclei)
none
SIEM (Splunk ESCU)
none
SIEM (Elastic)
none
SIEM (Azure Sentinel)
none
▸
Caldera Emulation
3MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
detectionwindowsFind atypical open ports
function getFullList($portList){
$final = @();
foreach ($p in $portList) {
if ($p -like "*-*") {
$minmax = $p.Split("-");
for ($i = ($minmax[0] -as [int]); $i -lt ($minmax[1] -as [int]); $i++) {
$final += ($i -as [string]);
};
} else {
$final += $p;
};
};
return $final;
};
$basePorts = @("135","139","389","445","636","1000-5000","9389","49152-65535");
$allPorts = getFullList $basePorts;
$pidToPort = @();
foreach ($port in (Get-NetTCPConnection -RemoteAddress 0.0.0.0 -state Listen)){
if ($allPorts -notcontains $port.LocalPort){
$pidToPort += , @{pid=$port.OwningProcess;port=$port.LocalPort};
}
};
$pidToPort | ConvertTo-Json;
responsewindowsEnable Inbound TCP/UDP firewall rule
New-NetFirewallRule -DisplayName "Block in-bound UDP traffic to port #{host.port.unauthorized} from PID #{host.pid.unauthorized}" -Group "Caldira" -Direction Inbound -Protocol UDP -Action Block -LocalPort #{host.port.unauthorized};
New-NetFirewallRule -DisplayName "Block in-bound TCP traffic to port #{host.port.unauthorized} from PID #{host.pid.unauthorized}" -Group "Caldira" -Direction Inbound -Protocol TCP -Action Block -LocalPort #{host.port.unauthorized};
responsewindowsEnable Outbound TCP/UDP firewall rule
New-NetFirewallRule -DisplayName "Block out-bound UDP traffic to port #{remote.port.unauthorized} from PID #{host.pid.unauthorized}" -Group "Caldira" -Direction Outbound -Protocol UDP -Action Block -RemotePort #{remote.port.unauthorized};
New-NetFirewallRule -DisplayName "Block out-bound TCP traffic to port #{remote.port.unauthorized} from PID #{host.pid.unauthorized}" -Group "Caldira" -Direction Outbound -Protocol TCP -Action Block -RemotePort #{remote.port.unauthorized};
External lookups - second-class, for what we don’t hold ourselves