DET0227: Detection Strategy for Non-Standard Ports
DET0227 is a detection strategy mapped to ATT&CK technique T1571, Non-Standard Port. The business issue is that command-and-control traffic can be made har...
Analyst context for executives and security teams
DET0227 is a detection strategy mapped to ATT&CK technique T1571, Non-Standard Port. The business issue is that command-and-control traffic can be made harder to filter or interpret when protocols appear on unusual ports, such as web-like encrypted traffic outside expected service ports. For leaders, this is less about one indicator and more about whether the organization can prove it understands normal network service use well enough to spot evasive communications.
Executive priority
Prioritize this where network egress control, SOC visibility, and incident response depend on port-based assumptions. Executives should ask whether security teams can identify unexpected protocol-and-port pairings across Windows, macOS, Linux, and ESXi environments referenced by the related ATT&CK technique, and whether exceptions are governed as business-approved services rather than unmanaged noise. This supports resilience, audit evidence for monitoring controls, and faster incident decisions when suspicious command-and-control activity is suspected.
Technical view
The supplied ATT&CK object has no official description or detection text, but it detects T1571, which is in the command-and-control tactic. SOC and detection teams should validate whether network analytics can compare observed protocol behavior against expected port usage, not merely allow or block by port number. Incident responders should treat unusual protocol/port combinations as context for triage, especially when paired with suspicious destinations, uncommon processes, new persistence, or host configuration changes that could enable non-standard listening or outbound communication.
Likely telemetry
- Network flow records showing source, destination, port, protocol, timing, and volume
- Proxy, web gateway, firewall, and egress filtering logs
- TLS/SSL metadata where collected, such as SNI, certificate attributes, and JA3/JA4-style fingerprints if available
- DNS logs correlated with outbound connections
- Endpoint process-to-network connection telemetry on Windows, macOS, Linux, and ESXi where available
Detection direction
- Validate analytics that identify protocol-and-port mismatches, such as HTTPS-like traffic on ports other than expected HTTPS service ports, while accounting for approved business exceptions.
- Tune against known administrative tools, developer services, load balancers, proxies, and application-specific ports to reduce false positives.
- Correlate non-standard port observations with destination reputation, rarity in the environment, first-seen timing, user/host role, and process lineage where endpoint telemetry exists.
- Avoid relying only on port numbers for classification; confirm whether sensors parse or infer application protocol independently of port.
- Review blind spots in encrypted traffic inspection, unmanaged network segments, cloud egress paths, remote offices, and virtualized infrastructure such as ESXi where telemetry may differ.
Mitigation priorities
- Establish and maintain an inventory of approved services, protocols, and expected ports for critical environments.
- Apply egress filtering and firewall policy based on business need, with documented exceptions for legitimate non-standard services.
- Centralize network, DNS, proxy, firewall, and endpoint connection telemetry so SOC teams can correlate unusual protocol/port use.
- Use change control for systems that expose or modify service ports, and investigate unauthorized deviations.
- Periodically test detection logic with benign validation data to confirm visibility and reduce noisy exceptions before an incident.
Analyst notes and limits
This take is based on the detection strategy object DET0227 and its relationship indicating it detects ATT&CK T1571 Non-Standard Port. Because the official detection strategy fields are not populated, recommendations are framed as validation and control questions rather than as MITRE-provided detection logic.
The ATT&CK object does not specify platforms, tactics, description, or official detection content for DET0227. Platform and tactic context is derived only from the related T1571 technique. Local network architecture, approved application behavior, encryption policy, and telemetry coverage are required to determine practical detection quality.
Detection Strategy for Non-Standard Ports
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1571 | Non-Standard Port | This object detects Non-Standard Port. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2ebf15a2f7c4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0227Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.