SYNful Knock

SYNful Knock is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.[1][2]

ID: S0519
Platforms: Network
Version: 1.0
Created: 19 October 2020
Last Modified: 14 December 2021

Techniques Used

Domain ID Name Use
Enterprise T1556 .004 Modify Authentication Process: Network Device Authentication

SYNful Knock has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device.[1]

Enterprise T1601 .001 Modify System Image: Patch System Image

SYNful Knock is malware that is inserted into a network device by patching the operating system image.[1][2]

Enterprise T1205 Traffic Signaling

SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages.[1]