T1205.001 Port Knocking

Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.

This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.03 Network communications integrity and availability Mitigates T1205.001 Port Knocking
Comments
This diagnostic statement protects against Port Knocking through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
    PR.PS-01.08 End-user device protection Mitigates T1205.001 Port Knocking
    Comments
    This diagnostic statement protects against Port Knocking through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
    References

      NIST 800-53 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      CA-07 Continuous Monitoring mitigates T1205.001 Port Knocking
      CM-06 Configuration Settings mitigates T1205.001 Port Knocking
      SI-15 Information Output Filtering mitigates T1205.001 Port Knocking
      CM-07 Least Functionality mitigates T1205.001 Port Knocking
      SI-04 System Monitoring mitigates T1205.001 Port Knocking
      AC-03 Access Enforcement mitigates T1205.001 Port Knocking
      AC-04 Information Flow Enforcement mitigates T1205.001 Port Knocking
      SC-07 Boundary Protection mitigates T1205.001 Port Knocking

      VERIS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1205.001 Port Knocking
      action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1205.001 Port Knocking
      action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1205.001 Port Knocking

      Azure Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      azure_firewall Azure Firewall technique_scores T1205.001 Port Knocking
      Comments
      This control can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the firewall service level. This service typically applies to external traffic and not internal traffic and therefore lateral movement using this technique within a network is still possible. Due to this partial coverage, it has been scored as Partial.
      References
      azure_network_security_groups Azure Network Security Groups technique_scores T1205.001 Port Knocking
      Comments
      This control can be used to implement whitelist based network rules that can mitigate variations of this sub-techniques that result in opening closed ports for communication. Because this control is able to drop traffic before reaching a compromised host, it can effectively mitigate this port knocking sub-technique.
      References

      AWS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1205.001 Port Knocking
      Comments
      VPC security groups and network access control lists (NACLs) can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the security group or NACL level.
      References
        aws_network_firewall AWS Network Firewall technique_scores T1205.001 Port Knocking
        Comments
        AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against port knocking from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against port knocking among hosts within the network and behind the firewall.
        References