title: Commonly Used Port (T1043)
id: df00tech-t1043
status: experimental
description: "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as TCP:80 (HTTP), TCP:443 (HTTPS), TCP:25 (SMTP), and TCP/UDP:53 (DNS). They may use the protocol associated with the port, or a completely different protocol to evade inspection. For connections within an enclave, common ports include TCP/UDP:135 (RPC), TCP/UDP:22 (SSH), and TCP/UDP:3389 (RDP). This technique has been deprecated in favor of T1571 (Non-Standard Port) and T1071 (Application Layer Protocol), but the detection pattern remains relevant: identifying unexpected processes communicating over well-known ports that do not match their expected traffic profile."
references:
  - https://attack.mitre.org/techniques/T1043/
  - https://df00tech.com/detections/T1043
author: df00tech
date: 2026/04/16
tags:
  - attack.t1043
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Scripting engines (PowerShell, cscript) used by legitimate IT automation tools to call REST APIs over HTTPS (port 443) — common with Ansible, Chef, Puppet, SCCM"
  - certutil.exe and bitsadmin.exe used by Windows Update or software distribution systems to fetch payloads over HTTP/HTTPS
  - msiexec.exe downloading MSI packages from internal or cloud distribution points over port 80/443
  - "IT monitoring agents (SolarWinds, Datadog, Zabbix) using script-based checks that make HTTP requests"
  - "Developer workstations where build tools (msbuild.exe, csc.exe) reach out to NuGet package feeds over HTTPS"
level: medium