T1205.001 Port Knocking Mappings

Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.

This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1205.001 Port Knocking
AC-4 Information Flow Enforcement Protects T1205.001 Port Knocking
CA-7 Continuous Monitoring Protects T1205.001 Port Knocking
CM-6 Configuration Settings Protects T1205.001 Port Knocking
CM-7 Least Functionality Protects T1205.001 Port Knocking
SC-7 Boundary Protection Protects T1205.001 Port Knocking
SI-15 Information Output Filtering Protects T1205.001 Port Knocking
SI-4 System Monitoring Protects T1205.001 Port Knocking
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1205.001 Traffic Signaling: Port Knocking
action.malware.variety.C2 Command and control (C2) related-to T1205.001 Traffic Signaling: Port Knocking
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1205.001 Port Knocking
aws_network_firewall AWS Network Firewall technique_scores T1205.001 Port Knocking