Traffic Signaling

Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.

Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r [1], is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

On network devices, adversaries may use crafted packets to enable Network Device Authentication for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.[2][3][4] To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage Patch System Image due to the monolithic nature of the architecture.

Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.[5][6]

ID: T1205
Sub-techniques:  T1205.001, T1205.002
Platforms: Linux, Network, Windows, macOS
Defense Bypassed: Defensive network service scanning
Contributors: Josh Day, Gigamon; Tony Lee
Version: 2.4
Created: 18 April 2018
Last Modified: 19 October 2022

Procedure Examples

ID Name Description
S1118 BUSHWALK

BUSHWALK can modify the DSUserAgentCap.pm Perl module on Ivanti Connect Secure VPNs and either activate or deactivate depending on the value of the user agent in incoming HTTP requests.[7]

S0220 Chaos

Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port.[8]

C0029 Cutting Edge

During Cutting Edge, threat actors sent a magic 48-byte sequence to enable the PITSOCK backdoor to communicate via the /tmp/clientsDownload.sock socket.[7]

S0641 Kobalos

Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port.[9][10]

S0664 Pandora

Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command.[11]

S0587 Penquin

Penquin will connect to C2 only after sniffing a "magic packet" value in TCP or UDP packets matching specific conditions.[12][13]

S0446 Ryuk

Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement.[5]

S0519 SYNful Knock

SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages.[3]

S0221 Umbreon

Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet.[14]

S0022 Uroburos

Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application.[15]

S0430 Winnti for Linux

Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.[16]

S1114 ZIPLINE

ZIPLINE can identify a specific string in intercepted network traffic, SSH-2.0-OpenSSH_0.3xx., to trigger its command functionality.[17]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable Wake-on-LAN if it is not needed within an environment.

M1037 Filter Network Traffic

Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Content

Monitor and analyze network packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, protocol port mismatch, anomalous syntax, or structure). Consider packet inspection for Wake-on-LAN magic packet consists of 6 bytes of FF followed by sixteen repetitions of the target system's IEEE address. Seeing this string anywhere in a packet's payload may be indicative of a Wake-on-LAN attempt.[18]

Network Traffic Flow

Monitor and analyze network flows associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider analyzing newly constructed network connections that are sent or received by untrusted hosts, unexpcted hardware devices, or other uncommon data flows.

DS0009 Process Process Creation

Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy.[19]

References