Description
Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
Platforms
Mitigations (1)
Filter Network TrafficM1037
Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0056 | PROMETHIUM | [PROMETHIUM](https://attack.mitre.org/groups/G0056) has used a script that configures the knockd service and firewall to only accept C2 connections fr... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) maintained persistence on FortiGate Firewalls through ICMP port knocking.(Citation: Mandiant Fortinet... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S1060 | Mafalda | Malware | [Mafalda](https://attack.mitre.org/software/S1060) can use port-knocking to authenticate itself to another implant called Cryshell to establish an ind... |
| S1219 | REPTILE | Malware | [REPTILE](https://attack.mitre.org/software/S1219) has the ability to control compromised endpoints via port knocking.(Citation: Google Cloud Mandiant... |
| S1204 | cd00r | Malware | [cd00r](https://attack.mitre.org/software/S1204) can monitor for a single TCP-SYN packet to be sent in series to a configurable set of ports (200, 80,... |
| S1059 | metaMain | Malware | [metaMain](https://attack.mitre.org/software/S1059) has authenticated itself to a different implant, Cryshell, through a port knocking and handshake p... |
References
Frequently Asked Questions
What is T1205.001 (Port Knocking)?
T1205.001 is a MITRE ATT&CK technique named 'Port Knocking'. It belongs to the Stealth, Persistence, Command and Control tactic(s). Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of clo...
How can T1205.001 be detected?
Detection of T1205.001 (Port Knocking) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1205.001?
There are 1 documented mitigations for T1205.001. Key mitigations include: Filter Network Traffic.
Which threat groups use T1205.001?
Known threat groups using T1205.001 include: PROMETHIUM, UNC3886.