Threat Hunting for Mismatched Port – Application Traffic


Indicators of compromise or IOCs are evidence indicating a breach of security. IOC includes virus signature, IP address, Hash value of Malware, Malicious URL and Domains, C2 servers, etc. Documenting and monitoring of these IOCs help organizations to react proactively to overcome security breaches.

AWS Builder Community Hub

Mismatch Port – Application Traffic is one of the top 15 Indicators of compromise according to security researchers which is often observed in current security breaches. Threat Hunting and Incident response team are coming up with tons of innovative and proactive measures to overcome this issues, by focusing on both external attributes via gathering and sharing Intelligence and Hunting for anomalies within the environment not detected by traditional security mitigations.

Ports numbers vary from 0-65535, In which port 0-1023 are system ports or well-known ports, port 1024-49151 are user port or registered ports and port 49151 to 65535 are dynamic ports or private ports. If an application is using an unusual port which pretends to be a normal application port, then it indicates a sign of compromise. Therefore, this indication of compromise is said to be a Mismatch Port – Application Traffic.

This includes both inbound and outbound connections which often takes place over an open port. For instance, an infected host sending C2 communication masked as DNS request over the port 80. The requests may look like to be a normal DNS query, but upon investigating those queries, the result would show that “the traffic is going across a non-standard port.”

Mismatch Port – Application traffic comes under the Command and Control Phase of the Cyber Kill Chain life cycle. Attackers normally utilize common (HTTP, HTTPS, SSL/TLS or DNS) or custom protocols to build Command and Control (C2) channels over them. Enabling them with covert remote access over the target network or infrastructure.

(Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Ifeanyi Egede. Read the original post at: