T0885: Commonly Used Port
Essential information
- MITRE technique ID
T0885- Confidence
- 100/100
- Revoked
- No
- Published
- 21/05/2020 19:43
- Modified
- 27/03/2026 01:44
- Author / Source
- The MITRE Corporation
Description
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below.
* TCP:80 (HTTP)
* TCP:443 (HTTPS)
* TCP/UDP:53 (DNS)
* TCP:1024-4999 (OPC on XP/Win2k3)
* TCP:49152-65535 (OPC on Vista and later)
* TCP:23 (TELNET)
* UDP:161 (SNMP)
* TCP:502 (MODBUS)
* TCP:102 (S7comm/ISO-TSAP)
* TCP:20000 (DNP3)
* TCP:44818 (Ethernet/IP)
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-ics-attack | command-and-control |
Marking (TLP)
Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.