Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Port Knocking

Port Knocking is a well-established method used by both defenders and adversaries to hide open ports from access. To enable a port, an adversary sends a series of packets with certain characteristics before the port will be opened. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports, but can involve unusual flags, specific strings or other unique characteristics. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.

This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r [1], is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

ID: T1205

Tactic: Defense Evasion, Persistence, Command And Control

Platform:  Linux, macOS

Permissions Required:  User

Requires Network:  Yes

Defense Bypassed:  Defensive network service scanning

Version: 1.0

Examples

NameDescription
Chaos

Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port.[2]

Umbreon

Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet[3]

Mitigation

Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.

Detection

Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.

References