A remote host sends a short sequence of failed connection attempts (RST/ICMP unreachable) to a set of closed ports. Within a brief window the endpoint (a) adds/enables a firewall rule or (b) a sniffer-backed process begins listening or opens a new socket, after which a successful connection occurs. Also detects Wake-on-LAN magic packets seen on local segment.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Network Traffic Flow (DC0078) | WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | EventCode=2004,2005,2006 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| TimeWindowKnock | Window to correlate knock sequence → rule change → successful connect (e.g., 120s). |
| PortSequenceMinLen | Minimum number of distinct closed ports hit before success (e.g., 3). |
| SuspiciousProcesses | List of binaries that commonly toggle firewall/sniff (netsh.exe, powershell.exe, npcapservice.exe, windivert, rawsock tools). |
| AllowedFirewallChangers | Service accounts or software update agents allowed to change firewall. |
| WoLAllowedWindows | Maintenance windows when magic packets are expected. |
Closed-port knock sequence from a remote IP followed by on-host firewall change (iptables/nftables) or daemon starts listening (socket open) and a successful TCP/UDP connect. Optional detection of libpcap/raw-socket sniffers spawning to watch for secret values.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve: Commands altering firewall or enabling listeners (iptables, nft, ufw, firewall-cmd, systemctl start *ssh*/*telnet*, ip route add, tcpdump, tshark) |
| Network Connection Creation (DC0082) | auditd:SYSCALL | socket/bind: Process binds to a new local port shortly after knock |
| Network Traffic Flow (DC0078) | NSM:Flow | Knock pattern: multiple REJ/S0 to distinct closed ports then successful connection to service_port |
| Network Traffic Content (DC0085) | NSM:Flow | Packets with unusual flags or payloads outside established flows (e.g., WoL magic FF×6 + 16×MAC) |
| Field | Description |
|---|---|
| ServicePort | Port that becomes available post-knock (e.g., 22/8022/2323). |
| KnockResetRatio | Percentage of failed attempts with RST/ICMP vs SYN/SYN-ACK to qualify as closed-port probing. |
| ProcessAllowList | Automation expected to touch firewall/daemon configs (config-mgmt agents). |
Remote knock sequence followed by PF/socketfilterfw rule update or a background process listening on a new port; then a successful TCP session. Also flags WoL magic packets on local segment.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | exec: Execution of /sbin/pfctl, /usr/libexec/ApplicationFirewall/socketfilterfw, ifconfig, tcpdump, npcap/libpcap consumers |
| Network Traffic Flow (DC0078) | macos:unifiedlog | Firewall rule enable/disable or listen socket changes |
| Network Connection Creation (DC0082) | NSM:Flow | Closed-port hits followed by success from same src_ip |
| Field | Description |
|---|---|
| PFAnchorPaths | Anchors or conf files monitored for change (/etc/pf.conf, /etc/pf.anchors/*). |
| DeveloperMode | Reduce noise on dev endpoints compiling or testing PF rules. |
Crafted ‘synful knock’ patterns toward routers/switches (same src hits interface/broadcast/network address on same port in short order) followed by ACL/telnet/SSH enablement or module change. Detect device image/ACL updates then a new mgmt session.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | networkdevice:syslog | Config/ACL/line vty changes, service enable (telnet/ssh/http(s)), module reloads |
| Network Connection Creation (DC0082) | NSM:Flow | Port-knock pattern from one src to device unicast,broadcast,network addresses on same port within TimeWindowKnock |
| Field | Description |
|---|---|
| MgmtPortSet | Ports whose sudden enablement should alert (23, 22, 2323, 80/443, 4786). |
| DeviceRole | Applies different thresholds to core/edge/branch devices. |