T1205 Traffic Signaling Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PacketCaptureLibs = dynamic(["wpcap.dll", "npcap.dll", "packet.dll"]);
let LegitNetworkTools = dynamic(["wireshark.exe", "tshark.exe", "dumpcap.exe", "rawcap.exe", "networkminer.exe", "fiddler.exe", "procexp.exe", "procexp64.exe"]);
// Signal 1: Unexpected process loading packet capture libraries (passive listener / magic packet sniffer indicator)
let PacketSnifferLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName has_any (PacketCaptureLibs)
| where not(InitiatingProcessFileName has_any (LegitNetworkTools))
| project Timestamp, DeviceName, AccountName,
          ProcessName = InitiatingProcessFileName,
          CommandLine = InitiatingProcessCommandLine,
          TargetInfo = strcat("Loaded packet capture library: ", FileName),
          AlertType = "PacketCaptureLibraryLoad";
// Signal 2: Wake-on-LAN magic packet transmission (Ryuk ransomware lateral movement pattern)
let WoLTransmission = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where Protocol =~ "Udp"
| where RemotePort in (7, 9)
| where RemoteIP has "255" or RemoteIP =~ "255.255.255.255"
| project Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName,
          ProcessName = InitiatingProcessFileName,
          CommandLine = InitiatingProcessCommandLine,
          TargetInfo = strcat("WoL UDP to ", RemoteIP, ":", tostring(RemotePort)),
          AlertType = "WakeOnLanMagicPacket";
// Signal 3: Sequential failed connections to multiple distinct ports within 60-second window (port knocking pattern)
let PortKnocking = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionFailed"
| summarize
    PortCount = dcount(RemotePort),
    PortList = make_set(RemotePort, 10),
    AttemptCount = count(),
    FirstAttempt = min(Timestamp),
    ProcessCmdLine = any(InitiatingProcessCommandLine),
    ActName = any(InitiatingProcessAccountName)
    by DeviceName, ProcName = InitiatingProcessFileName, RemoteIP, TimeBin = bin(Timestamp, 60s)
| where PortCount >= 3
| project Timestamp = FirstAttempt, DeviceName, AccountName = ActName,
          ProcessName = ProcName, CommandLine = ProcessCmdLine,
          TargetInfo = strcat("Port knocking: ", tostring(PortCount), " unique ports to ", RemoteIP, " within 60s"),
          AlertType = "SequentialPortKnocking";
union PacketSnifferLoad, WoLTransmission, PortKnocking
| sort by Timestamp desc

high severity medium confidence

Data Sources

Module: Module Load Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceImageLoadEvents DeviceNetworkEvents

False Positives

Network monitoring agents (Datadog, PRTG, SolarWinds) that load Npcap/WinPcap libraries for legitimate packet-level telemetry collection
IT management and help desk tools (ManageEngine Desktop Central, custom WoL scripts, PDQ Deploy) that legitimately send Wake-on-LAN packets to power on workstations
Authorized penetration testing or vulnerability scanning tools (nmap, masscan) that generate sequential port connection failures during scheduled assessments
VPN clients and network virtualization software (VMware, VirtualBox, OpenVPN) that load packet capture drivers during normal initialization
Backup or endpoint management platforms that use WoL to wake systems for scheduled maintenance jobs outside business hours
Service discovery and health-check mechanisms in microservice environments that probe multiple ports on container hosts in rapid succession

Splunk

spl

index=wineventlog (
    (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
     (ImageLoaded="*\\wpcap.dll" OR ImageLoaded="*\\npcap.dll" OR ImageLoaded="*\\packet.dll")
     NOT (Image="*\\wireshark.exe" OR Image="*\\tshark.exe" OR Image="*\\dumpcap.exe"
          OR Image="*\\rawcap.exe" OR Image="*\\networkminer.exe" OR Image="*\\fiddler.exe"))
    OR
    (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
     Protocol=udp (DestinationPort=7 OR DestinationPort=9)
     (DestinationIp="255.255.255.255" OR DestinationIp="*.255"))
)
| eval AlertType=case(
    EventCode=7, "PacketCaptureLibraryLoad",
    EventCode=3, "WakeOnLanMagicPacket",
    1=1, "Unknown"
)
| eval ProcessName=coalesce(Image, "unknown")
| eval Detail=case(
    AlertType="PacketCaptureLibraryLoad", "Packet capture library loaded: ".ImageLoaded,
    AlertType="WakeOnLanMagicPacket", "WoL UDP to ".DestinationIp.":".DestinationPort,
    1=1, "Unknown traffic signal"
)
| table _time, host, User, ProcessName, CommandLine, ImageLoaded, DestinationIp, DestinationPort, Protocol, AlertType, Detail
| sort - _time

high severity medium confidence

Data Sources

Module: Module Load Network Traffic: Network Connection Creation Sysmon Event ID 7 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Network monitoring agents loading Npcap/WinPcap libraries for legitimate traffic capture and telemetry
IT management tools (ManageEngine, PRTG, custom scripts) sending Wake-on-LAN packets to power on workstations for maintenance
Developer workstations with Wireshark or Fiddler installed where auxiliary processes may trigger DLL loads
Backup and endpoint management software that sends WoL packets to wake managed endpoints on a schedule
VPN or network virtualization clients that load packet capture drivers during initialization or reconnection events

Elastic Security (EQL)

eql

// Signal 1: Packet capture library load by unexpected process
sequence by host.name, process.entity_id
  [library where dll.name in~ ("wpcap.dll", "npcap.dll", "packet.dll")
   and not process.name in~ ("wireshark.exe", "tshark.exe", "dumpcap.exe", "rawcap.exe", "networkminer.exe", "fiddler.exe", "procexp.exe", "procexp64.exe")]

// Signal 2: Wake-on-LAN UDP broadcast transmission
network where network.transport == "udp"
  and destination.port in (7, 9)
  and (destination.ip == "255.255.255.255" or destination.ip like~ "*.255.*" or destination.ip like~ "*.255")

// Signal 3: Port knocking — rapid sequential failed connections to distinct ports
sequence by host.name, source.ip with maxspan=60s
  [network where event.action == "connection_refused" or event.outcome == "failure"] with runs=3

high severity medium confidence

Data Sources

Elastic Endpoint (endpoint.events.library) Elastic Endpoint (endpoint.events.network) Winlogbeat with Sysmon (Event ID 7 image load, Event ID 3 network)

Required Tables

logs-endpoint.events.library-* logs-endpoint.events.network-* logs-system.system-* winlogbeat-*

False Positives

Network performance monitoring tools or custom network diagnostics utilities that legitimately load wpcap.dll or npcap.dll for packet inspection outside of standard tools like Wireshark
Wake-on-LAN administrative tools used by IT helpdesk teams to power on remote workstations or servers during maintenance windows
Automated port scanners or vulnerability assessment tools (Nessus, Qualys agent, OpenVAS) running scheduled discovery scans that produce rapid failed connection sequences resembling port knocking

IBM QRadar (AQL)

sql

// Signal 1: Packet capture library loaded by unexpected process (Sysmon Event 7)
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
       sourceip AS host_ip,
       LOGSOURCENAME(logsourceid) AS log_source,
       username,
       "ImageLoaded" AS loaded_library,
       "Image" AS process_image,
       'PacketCaptureLibraryLoad' AS alert_type,
       CONCAT('Packet capture lib loaded by: ', "Image") AS detail
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 'Microsoft Windows'  -- Sysmon
  AND QIDNAME(qid) LIKE '%Sysmon%'
  AND deviceEventCategory = '7'
  AND ("ImageLoaded" ILIKE '%wpcap.dll' OR "ImageLoaded" ILIKE '%npcap.dll' OR "ImageLoaded" ILIKE '%packet.dll')
  AND "Image" NOT ILIKE '%wireshark.exe'
  AND "Image" NOT ILIKE '%tshark.exe'
  AND "Image" NOT ILIKE '%dumpcap.exe'
  AND "Image" NOT ILIKE '%rawcap.exe'
  AND "Image" NOT ILIKE '%networkminer.exe'
  AND "Image" NOT ILIKE '%fiddler.exe'
  AND DEVICETIME > (GETTIMEMICROS() - 86400000000)
UNION ALL
-- Signal 2: Wake-on-LAN broadcast UDP (Sysmon Event 3)
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
       sourceip AS host_ip,
       LOGSOURCENAME(logsourceid) AS log_source,
       username,
       CONCAT(destinationip, ':', CAST(destinationport AS VARCHAR)) AS loaded_library,
       "Image" AS process_image,
       'WakeOnLanMagicPacket' AS alert_type,
       CONCAT('WoL UDP broadcast to ', destinationip, ':', CAST(destinationport AS VARCHAR)) AS detail
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 'Microsoft Windows'
  AND deviceEventCategory = '3'
  AND protocolid = 17  -- UDP
  AND destinationport IN (7, 9)
  AND (destinationip = '255.255.255.255' OR destinationip ILIKE '%.255')
  AND DEVICETIME > (GETTIMEMICROS() - 86400000000)
ORDER BY event_time DESC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon events via WinCollect or Sysmon forwarder QRadar DSM for Microsoft Windows Security Event Log Sysmon Event ID 7 (Image Loaded) Sysmon Event ID 3 (Network Connection)

Required Tables

events (QRadar normalized event store) Sysmon Operational log (Microsoft-Windows-Sysmon/Operational)

False Positives

Custom internal network monitoring daemons written by infrastructure teams that legitimately use libpcap or wpcap.dll for bandwidth measurement or traffic analysis
IT asset management systems that use Wake-on-LAN broadcasts to inventory or provision offline systems during off-hours maintenance
Security tools such as PRTG, SolarWinds, or Nagios that use raw socket communication or packet capture internally and may not be in the standard tool whitelist

Sumo Logic CSE

sql

// Signal 1: Packet capture library load by non-standard process (Sysmon Event ID 7)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "7"
| where (ImageLoaded matches "*\\wpcap.dll" OR ImageLoaded matches "*\\npcap.dll" OR ImageLoaded matches "*\\packet.dll")
| where !(Image matches "*\\wireshark.exe" OR Image matches "*\\tshark.exe" OR Image matches "*\\dumpcap.exe" OR Image matches "*\\rawcap.exe" OR Image matches "*\\networkminer.exe" OR Image matches "*\\fiddler.exe" OR Image matches "*\\procexp.exe" OR Image matches "*\\procexp64.exe")
| fields _messageTime, Computer, User, Image, ImageLoaded, CommandLine
| "PacketCaptureLibraryLoad" as AlertType
| concat("Packet capture library loaded: ", ImageLoaded) as Detail

// Signal 2: Wake-on-LAN broadcast (Sysmon Event ID 3, UDP port 7 or 9)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "3"
| where Protocol = "udp"
| where (DestinationPort = "7" OR DestinationPort = "9")
| where (DestinationIp = "255.255.255.255" OR DestinationIp matches "*.255")
| fields _messageTime, Computer, User, Image, DestinationIp, DestinationPort, Protocol
| "WakeOnLanMagicPacket" as AlertType
| concat("WoL UDP to ", DestinationIp, ":", DestinationPort) as Detail

// Signal 3: Port knocking pattern — multiple failed connections within 60s (Sysmon Event ID 3 with connection failures)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "3" AND Initiated = "true"
| timeslice 60s
| count_distinct(DestinationPort) as unique_ports, count as total_attempts by _timeslice, Computer, Image, DestinationIp, User
| where unique_ports >= 3
| concat("Port knocking: ", unique_ports, " unique ports to ", DestinationIp, " in 60s") as Detail
| "SequentialPortKnocking" as AlertType

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Windows collection (Event IDs 3 and 7) Sumo Logic Installed Collector with Windows source Sumo Logic CSE normalized Windows security events

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=WinEventLog/Sysmon

False Positives

Legitimate packet capture tools that are not in the whitelist (e.g., custom in-house network diagnostic scripts calling wpcap.dll) will generate false positives for Signal 1
Wake-on-LAN tools used by helpdesk or MDM solutions for device management will trigger Signal 2 in environments with WoL-based provisioning workflows
Network scanners, vulnerability management agents, or even noisy clients reconnecting during network instability can generate multiple rapid connection failures that resemble port knocking in Signal 3

Google Chronicle / SecOps

yaral

rule t1205_traffic_signaling_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Traffic Signaling (T1205) via passive listener library loading, Wake-on-LAN broadcasts, and port knocking sequences"
    mitre_attack_tactic = "Command and Control, Persistence"
    mitre_attack_technique = "T1205"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Signal 1: Packet capture library loaded by unexpected process
    (
      $e.metadata.event_type = "PROCESS_MODULE_LOAD"
      and (
        re.regex($e.target.file.full_path, `(?i)(wpcap\.dll|npcap\.dll|packet\.dll)$`)
      )
      and not re.regex($e.principal.process.file.full_path, `(?i)(wireshark|tshark|dumpcap|rawcap|networkminer|fiddler|procexp)\.exe$`)
    )
    or
    // Signal 2: Wake-on-LAN UDP to broadcast address on port 7 or 9
    (
      $e.metadata.event_type = "NETWORK_CONNECTION"
      and $e.network.ip_protocol = "UDP"
      and (
        $e.target.port = 7
        or $e.target.port = 9
      )
      and (
        $e.target.ip = "255.255.255.255"
        or re.regex($e.target.ip, `\.255$`)
      )
    )
    or
    // Signal 3: Port knocking — multiple distinct failed connections within short window
    (
      $e.metadata.event_type = "NETWORK_CONNECTION"
      and $e.network.direction = "OUTBOUND"
      and (
        $e.metadata.description = "connection_refused"
        or $e.network.session_id = ""
      )
    )

  match:
    $e.principal.hostname over 1m

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM with Windows Sysmon forwarding Endpoint telemetry via Chronicle SIEM forwarder EDR/AV telemetry normalized to Chronicle UDM Network flow data ingested into Chronicle

Required Tables

UDM events (PROCESS_MODULE_LOAD) UDM events (NETWORK_CONNECTION) Chronicle entity graph for principal.hostname

False Positives

Custom monitoring or observability tooling built on libpcap that loads wpcap.dll or npcap.dll for internal telemetry collection, especially on servers running network performance baselines
Legitimate WoL management software deployed by IT operations (e.g., SolarWinds WoL, ManageEngine Desktop Central) that routinely broadcasts UDP port 7/9 magic packets to wake devices
VPN clients or Zero Trust network access agents that attempt multiple port connections during authentication or tunnel negotiation, producing failed-connection bursts resembling port knocking

CrowdStrike LogScale (CQL)

cql

// Signal 1: Packet capture library load by non-standard process (ModuleLoad events)
#event_simpleName="ModuleLoad"
| ImageFileName = /(?i)(wpcap\.dll|npcap\.dll|packet\.dll)$/
| not ProcessImageFileName = /(?i)(wireshark|tshark|dumpcap|rawcap|networkminer|fiddler|procexp|procexp64)\.exe$/
| groupBy([ComputerName, ProcessImageFileName, ImageFileName, CommandLine, UserName], function=([count(aid, as=LoadCount), min(ContextTimeStamp, as=FirstSeen), max(ContextTimeStamp, as=LastSeen)]))
| rename(field=ProcessImageFileName, as="SuspiciousProcess")
| rename(field=ImageFileName, as="CaptureLibraryLoaded")
| "PacketCaptureLibraryLoad" as AlertType
| table([FirstSeen, ComputerName, UserName, SuspiciousProcess, CaptureLibraryLoaded, CommandLine, AlertType, LoadCount])

// Signal 2: Wake-on-LAN UDP broadcast (NetworkConnectIP4 to broadcast on port 7 or 9)
#event_simpleName="NetworkConnectIP4"
| Protocol = "UDP" OR Protocol = "17"
| RemotePort in [7, 9]
| RemoteAddressIP4 = /^(255\.255\.255\.255|.*\.255)$/
| groupBy([ComputerName, LocalAddressIP4, RemoteAddressIP4, RemotePort, ImageFileName, CommandLine, UserName], function=([count(aid, as=WoLCount), min(ContextTimeStamp, as=FirstSeen)]))
| "WakeOnLanMagicPacket" as AlertType
| table([FirstSeen, ComputerName, UserName, ImageFileName, LocalAddressIP4, RemoteAddressIP4, RemotePort, AlertType, WoLCount])

// Signal 3: Port knocking — sequential failed outbound connections to 3+ distinct ports within 60s
#event_simpleName="NetworkConnectIP4"
| ConnectionFlags = "1" OR ConnectionStatus = /fail|refused/i
| groupBy([ComputerName, RemoteAddressIP4, ImageFileName, UserName, timebucket(field=ContextTimeStamp, buckets="1m")], function=([count_distinct(RemotePort, as=UniquePortCount), count(aid, as=AttemptCount), min(ContextTimeStamp, as=FirstSeen), collect(RemotePort, limit=10, as=PortList)]))
| UniquePortCount >= 3
| "SequentialPortKnocking" as AlertType
| table([FirstSeen, ComputerName, UserName, ImageFileName, RemoteAddressIP4, UniquePortCount, AttemptCount, PortList, AlertType])

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR) Falcon ModuleLoad events (DLL/library loading telemetry) Falcon NetworkConnectIP4 events (outbound network connection telemetry) Falcon ProcessRollup2 events for process ancestry context

Required Tables

#event_simpleName=ModuleLoad #event_simpleName=NetworkConnectIP4 #event_simpleName=ProcessRollup2

False Positives

In-house network telemetry agents or custom APM tools built on libpcap or WinPcap that are not in the standard network-tool whitelist but serve a legitimate monitoring function
Enterprise Wake-on-LAN management solutions (Dell KACE, PDQ Deploy, ManageEngine) used by IT teams to remotely power on endpoints for patching windows or inventory scans
Zero Trust NAC or micro-segmentation enforcement agents that perform rapid port probing during posture assessment or network discovery phases, generating failed-connection bursts that pattern-match port knocking

Traffic Signaling

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Defense Evasion

Popular Detections