Traffic Signaling: Port Knocking

ID Name
T1205.001 Port Knocking
T1205.002 Socket Filters

Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.

This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r [1], is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

ID: T1205.001
Sub-technique of:  T1205
Platforms: Linux, Network, Windows, macOS
Permissions Required: User
Version: 1.1
Created: 01 July 2020
Last Modified: 11 March 2022

Procedure Examples

ID Name Description
S1060 Mafalda

Mafalda can use port-knocking to authenticate itself to another implant called Cryshell to establish an indirect connection to the C2 server.[2][3]

S1059 metaMain

metaMain has authenticated itself to a different implant, Cryshell, through a port knocking and handshake procedure.[2]

G0056 PROMETHIUM

PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.[4]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Flow

Monitor and analyze network flows associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider analyzing newly constructed network connections that are sent or received by untrusted hosts, unexpcted hardware devices, or other uncommon data flows.

References