Risky Ports Reference
This reference guide analyzes 158 ports from the Risky Ports List, each mapped to real-world attack techniques using MITRE ATT&CK. Ports are organized by severity to prioritize micro-segmentation decisions.
Critical (5 ports): MSRPC 135, SMB 445, RDP 3389, WinRM 5985/5986. Ransomware propagation, wormable RCE, lateral movement. Block immediately.
See the list of Critical Severity Ports.
High (10+ ports): NetBIOS 137-139, STK 3080, VNC 5800/5900, TeamViewer 5938, RustDesk 21114-21119. Remote access and credential theft. Restrict to management networks.
See the list of High Severity Ports.
Medium (38+ ports): SSH 22, FTP 20-21, DNS 53, Kerberos 88, SMTP 25, SNMP 161, MSSQL 1443, LLMNR 5355. Enhanced monitoring is required.
See the list of Medium Severity Ports.
Low (60+ ports): Legacy protocols (ECHO, CHARGEN, FINGER, etc.), web admin ports, Memcached. Disable if unused; primary risk is DDoS amplification.
See the list of Low Severity Ports.
Understanding the Identifiers
This section explains the prefixes used in MITRE ATT&CK identifiers.
This is the format used in this document: T1210 - Exploitation of Remote Services [Lateral Movement] = clickable link + technique name + parent tactic in brackets.
T = Technique (e.g., T1210). The 'T' prefix denotes a specific attack technique in the ATT&CK knowledge base. Sub-techniques use dot notation (e.g., T1021.002 = Remote Services: SMB/Admin Shares). Each technique describes HOW an adversary achieves a goal.
TA = Tactic (e.g., TA0008 = Lateral Movement). The 'TA' prefix denotes a tactic, which is the adversary's high-level goal or the WHY behind an action. Each technique belongs to one or more tactics. The 14 Enterprise tactics are listed below.
T0 = ICS Technique (e.g., T0886). The 'T0' prefix denotes techniques specific to Industrial Control Systems (ICS/SCADA/OT environments).