T1571 — Non-Standard Port

Technique

T1571

Tactics

Command and Control

MISP citations

0

KEV CVEs mapped

1

Community rules

5

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1571

MITRE description

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2023-38035

Detection coverage

SigmaHQ community rules

• Potentially Suspicious Malware Callback Communication - Linux (core)
• Suspicious DNS Z Flag Bit Set (core)
• Potentially Suspicious Malware Callback Communication (core)
• Communication To Uncommon Destination Ports (core)
• Testing Usage of Uncommonly Used Port (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.