| ID | Name |
|---|---|
| T1205.001 | Port Knocking |
| T1205.002 | Socket Filters |
Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r [1], is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
| ID | Name | Description |
|---|---|---|
| S1204 | cd00r |
cd00r can monitor for a single TCP-SYN packet to be sent in series to a configurable set of ports (200, 80, 22, 53 and 3 in the original code) before opening a port for communication.[1][2] |
| S1060 | Mafalda |
Mafalda can use port-knocking to authenticate itself to another implant called Cryshell to establish an indirect connection to the C2 server.[3][4] |
| S1059 | metaMain |
metaMain has authenticated itself to a different implant, Cryshell, through a port knocking and handshake procedure.[3] |
| G0056 | PROMETHIUM |
PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.[5] |
| S1219 | REPTILE |
REPTILE has the ability to control compromised endpoints via port knocking.[6] |
| G1048 | UNC3886 |
UNC3886 maintained persistence on FortiGate Firewalls through ICMP port knocking.[7] |
| ID | Mitigation | Description |
|---|---|---|
| M1037 | Filter Network Traffic |
Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0302 | Port-knock → rule/daemon change → first successful connect (T1205.001) | AN0842 |
A remote source rapidly touches a short sequence of closed ports (SYN→RST/S0) on a Windows host. Within a short window the host changes firewall state (WFP rule added/modified or service starts listening) and then the same source completes the first successful handshake to the newly opened port. |
| AN0843 |
A source performs a short closed-port sequence; the host then modifies iptables/nftables/ufw rules or starts a daemon binding a new socket, followed by a successful connection from the same source. |
||
| AN0844 |
A source performs a closed-port sequence; the endpoint enables a PF/socketfilterfw rule or a background process binds a port; then a successful connection completes from the same source. |
||
| AN0845 |
Router/switch receives a knock pattern (same src touches device unicast, broadcast, and network-address on same or stepped ports) followed by ACL/line-vty/service enable and the first mgmt session success. |