Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1205.001 | Port Knocking | |
| AC-4 | Information Flow Enforcement | Protects | T1205.001 | Port Knocking | |
| CA-7 | Continuous Monitoring | Protects | T1205.001 | Port Knocking | |
| CM-6 | Configuration Settings | Protects | T1205.001 | Port Knocking | |
| CM-7 | Least Functionality | Protects | T1205.001 | Port Knocking | |
| SC-7 | Boundary Protection | Protects | T1205.001 | Port Knocking | |
| SI-15 | Information Output Filtering | Protects | T1205.001 | Port Knocking | |
| SI-4 | System Monitoring | Protects | T1205.001 | Port Knocking |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Backdoor | Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' | related-to | T1205.001 | Traffic Signaling: Port Knocking | |
| action.malware.variety.C2 | Command and control (C2) | related-to | T1205.001 | Traffic Signaling: Port Knocking |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1205.001 | Port Knocking |
Comments
VPC security groups and network access control lists (NACLs) can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the security group or NACL level.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1205.001 | Port Knocking |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against port knocking from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against port knocking among hosts within the network and behind the firewall.
References
|