Traffic Signaling: Port Knocking

Created the Tuesday 07 March 2023. Updated 6 months, 3 weeks ago.

Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.

This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r, is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

Technique Identifier

T1205.001

Technique Tags

Defense Evasion Persistence Command and Control hide open ports dynamic opening of a listening port connection to listening servers libpcap libraries raw sockets

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Traffic Signaling: Port Knocking, Sub-technique T1205.001 - Enterprise | MITRE ATT&CK®