Uncommonly Used Ports

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

8 hours 39 minutes
Video Transcription
hello and welcome to another application of the minor attack framework discussion. Today, we're going to be looking at uncommonly used ports within the command and control phase of the minor attack framework. So with that, let's go ahead and jump into our objectives.
So today's objectives are pretty straight forward. We're going to describe uncommonly used ports as it's defined in the minor attack framework.
Well, look at a piece of spyware now wearing here. We're going to look at some mitigation techniques and detection techniques as well.
So Minor defines uncommonly used ports is when a threat actor conducts command and control attacks over non standard ports to bypass proxies and firewalls that are not properly configured. And so, in this case,
we're looking to take advantage of poor configuration or improper configuration of these device
types or software types.
Now there is a particular piece of spyware that we're going to mention today. It's a spyware, Trojan written and visual basic. It is known as agent tests last, so that sounds pretty cool. Capabilities for this include account discovery that encryption prior to sending input, capture remote file copy, video capture,
and it has TCP Port 5 87 enabled
for command and control communications. So again, using a nonstandard port in an attempt to bypass controls.
Using data encryption in here. Maybe attempting to bypass data control where it looks for data sets being sent out of the network for a system that may be looking for sensitive information and blocking it. Whatever the case may be. Some of those capabilities or a part of this malware and what it can do.
Now let's talk about mitigation techniques in a high level
pretty similar to the last bit. Network intrusion prevention again toe block common signatures and known attack types. Network segmentation to limit outgoing traffic and reduce the capabilities that threat, actors have to easily traverse your network and still information
detection techniques. Coming back to analyzing data flows in looking for uncommon patterns, so things like high data to and from a system
may be again if we're monitoring system activity. We have this initial review
and we look at data and we say, Okay, it spikes here and it goes stable, and then it goes back down and we create this baseline. And so our baseline
lives here
and everything below it is normal traffic. And so our system and its activities sit on that plane. Now when the new activity,
let's say it's here and then this happens.
Okay, suddenly we have activity that is in excess of the baseline. What was this? Why did it happen? What's going on here? We have to know when activity gets to that threshold where it was at, for how long and from what systems. And then we have to have the capability
to go back and review that activity
to ensure that if it was legit, we identified a so and if it was not legitimate, we have a way to address it and see if we had something going on that shouldn't have been
so. With that, let's go ahead and do a quick check on learning. True or false, uncommonly used ports are used by threat actors to avoid or bypass poorly configured devices like firewalls.
So if you need additional time, please pause the video. So in this case, uncommonly use ports are used by threat actors to avoid or bypass poorly configured devices like firewalls. And so in this instance, we have a true statement.
Now let's go ahead and jump over to our discussion summary for the day.
We discussed the definition provider of uncommonly used ports. We looked at a piece of malware within this that could be used to bypass controls and do, ah, number of other things. Agent Tesla was its name.
We looked at mitigation techniques still raining true with network intrusion, prevention techniques and segmentation
and then detection techniques again, network based lining. Understanding our traffic types and patterns and ensuring when we have anomalous traffic types or patterns that we investigate that and we determine whether or not it was legit. So with that, I want to thank you for your time today, and I look forward to seeing you again
Up Next