Description
Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
On network devices, adversaries may use crafted packets to enable Network Device Authentication for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.(Citation: Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage Patch System Image due to the monolithic nature of the architecture.
Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)(Citation: AMD Magic Packet)
Platforms
Sub-Techniques (2)
Mitigations (2)
Filter Network TrafficM1037
Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.
Disable or Remove Feature or ProgramM1042
Disable Wake-on-LAN if it is not needed within an environment.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compr... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized a magic value in C2 communications and only executes in memory when response packe... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used [TRANSLATEXT](https://attack.mitre.org/software/S1201) to redirect clients to legitimate Gma... |
Associated Software (17)
| ID | Name | Type | Context |
|---|---|---|---|
| S1114 | ZIPLINE | Malware | [ZIPLINE](https://attack.mitre.org/software/S1114) can identify a specific string in intercepted network traffic, `SSH-2.0-OpenSSH_0.3xx.`, to trigger... |
| S1118 | BUSHWALK | Malware | [BUSHWALK](https://attack.mitre.org/software/S1118) can modify the `DSUserAgentCap.pm` Perl module on Ivanti Connect Secure VPNs and either activate o... |
| S0587 | Penquin | Malware | [Penquin](https://attack.mitre.org/software/S0587) will connect to C2 only after sniffing a "magic packet" value in TCP or UDP packets matching specif... |
| S0519 | SYNful Knock | Malware | [SYNful Knock](https://attack.mitre.org/software/S0519) can be sent instructions via special packets to change its functionality. Code for new functio... |
| S0430 | Winnti for Linux | Malware | [Winnti for Linux](https://attack.mitre.org/software/S0430) has used a passive listener, capable of identifying a specific magic value before executin... |
| S0220 | Chaos | Malware | [Chaos](https://attack.mitre.org/software/S0220) provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any por... |
| S0221 | Umbreon | Malware | [Umbreon](https://attack.mitre.org/software/S0221) provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a s... |
| S0641 | Kobalos | Malware | [Kobalos](https://attack.mitre.org/software/S0641) is triggered by an incoming TCP connection to a legitimate service from a specific source port.(Cit... |
| S0664 | Pandora | Malware | [Pandora](https://attack.mitre.org/software/S0664) can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and ... |
| S0446 | Ryuk | Malware | [Ryuk](https://attack.mitre.org/software/S0446) has used Wake-on-Lan to power on turned off systems for lateral movement.(Citation: Bleeping Computer ... |
| S1219 | REPTILE | Malware | The [REPTILE](https://attack.mitre.org/software/S1219) reverse shell component can listen for a specialized packet in TCP, UDP, or ICMP for activation... |
| S1203 | J-magic | Malware | [J-magic](https://attack.mitre.org/software/S1203) can monitor TCP traffic for packets containing one of five different predefined parameters and will... |
| S9011 | BRUSHFIRE | Malware | [BRUSHFIRE](https://attack.mitre.org/software/S9011) has monitored inbound VPN traffic to compromised appliances until specific inbound packets contai... |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has utilized a magic value in C2 communications and only executes in memory when response packets m... |
| S1201 | TRANSLATEXT | Malware | [TRANSLATEXT](https://attack.mitre.org/software/S1201) has redirected clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no... |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) can intercept the first client to server packet in the 3-way TCP handshake to determine if the pac... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has utilized a magic value in C2 communications and only executes in memory when response packets... |
References
- Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.
- AMD. (1995, November 1). Magic Packet Technical White Paper. Retrieved February 17, 2021.
- Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved November 17, 2024.
- Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.
- Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.
- Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
Frequently Asked Questions
What is T1205 (Traffic Signaling)?
T1205 is a MITRE ATT&CK technique named 'Traffic Signaling'. It belongs to the Stealth, Persistence, Command and Control tactic(s). Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence t...
How can T1205 be detected?
Detection of T1205 (Traffic Signaling) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1205?
There are 2 documented mitigations for T1205. Key mitigations include: Filter Network Traffic, Disable or Remove Feature or Program.
Which threat groups use T1205?
Known threat groups using T1205 include: UNC3886, Mustang Panda, Kimsuky.