Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.
The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r [1], is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
| ID | Name | Description |
|---|---|---|
| G0056 | PROMETHIUM |
PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1037 | Filter Network Traffic |
Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Connection Creation |
| Network Traffic Flow |
Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.