Home
ATT&CK Techniques
T1205 Traffic Signaling

T1205 Traffic Signaling

Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.

Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

On network devices, adversaries may use crafted packets to enable Network Device Authentication for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.(Citation: Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage Patch System Image due to the monolithic nature of the architecture.

Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)(Citation: AMD Magic Packet)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.IR-01.03	Network communications integrity and availability	Mitigates	T1205	Traffic Signaling	Comments This diagnostic statement protects against Traffic Signaling through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. References
PR.PS-01.08	End-user device protection	Mitigates	T1205	Traffic Signaling	Comments This diagnostic statement protects against Traffic Signaling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1205	Traffic Signaling
CM-06	Configuration Settings	mitigates	T1205	Traffic Signaling
SI-15	Information Output Filtering	mitigates	T1205	Traffic Signaling
CM-02	Baseline Configuration	mitigates	T1205	Traffic Signaling
CM-07	Least Functionality	mitigates	T1205	Traffic Signaling
SI-04	System Monitoring	mitigates	T1205	Traffic Signaling
AC-03	Access Enforcement	mitigates	T1205	Traffic Signaling
AC-04	Information Flow Enforcement	mitigates	T1205	Traffic Signaling
SC-07	Boundary Protection	mitigates	T1205	Traffic Signaling

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.hacking.variety.Evade Defenses	Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.	related-to	T1205	Traffic Signaling
action.malware.variety.Backdoor or C2	Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.	related-to	T1205	Traffic Signaling
action.malware.variety.C2	Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.	related-to	T1205	Traffic Signaling

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
azure_firewall	Azure Firewall	technique_scores	T1205	Traffic Signaling	Comments This control provides partial protection for this technique's sub-techniques and procedure examples resulting in a Partial score. References https://learn.microsoft.com/en-us/azure/firewall/overview
azure_network_security_groups	Azure Network Security Groups	technique_scores	T1205	Traffic Signaling	Comments This control provides partial protection for this technique's sub-techniques and procedure examples resulting in an overall Partial score. Other variations that trigger a special response, such as executing a malicous task are not mitigated by this control. References https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
cloud_ngfw	Cloud Next-Generation Firewall (NGFW)_	technique_scores	T1205	Traffic Signaling	Comments Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against traffic signaling from external systems. This mapping is given a score of partial because the Cloud NGFW does not do anything to protect against traffic signaling among hosts within the network and behind the firewall. References ['https://cloud.google.com/firewalls']

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
amazon_virtual_private_cloud	Amazon Virtual Private Cloud	technique_scores	T1205	Traffic Signaling	Comments VPC security groups and network access control lists (NACLs) can provide significant protection for some variations of this technique, for example Port Knocking. Other variations of this technique such as using traffic signaling to execute a malicious task is not easily mitigated by security groups or NACLs. Consequently, its coverage score is Partial resulting in an overall Partial score. References https://docs.aws.amazon.com/vpc/latest/userguide/security.html
aws_network_firewall	AWS Network Firewall	technique_scores	T1205	Traffic Signaling	Comments AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against traffic signaling from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against traffic signaling among hosts within the network and behind the firewall. References https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1205.002	Socket Filters	7
T1205.001	Port Knocking	17