1. Home
  2. Software
  3. SYNful Knock

SYNful Knock

SYNful Knock is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.[1][2]

ID: S0519
Type: MALWARE
Platforms: Network
Version: 1.0
Created: 19 October 2020
Last Modified: 22 October 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1556 .004 Modify Authentication Process: Network Device Authentication

SYNful Knock has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device.[1]
Enterprise T1601 .001 Modify System Image: Patch System Image

SYNful Knock is malware that is inserted into a network device by patching the operating system image.[1][2]
Enterprise T1205 Traffic Signaling

SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages.[1]

References

  1. Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.
  1. Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.