T1205.001

Port Knocking

Defense Evasion Persistence Command and Control

Adversaries may use port knocking to conceal open ports used for persistence or command and control. A predefined sequence of connection attempts to closed ports causes the host-based firewall (or custom software) to dynamically open a listening port. Implementations include libpcap-based packet sniffing (cd00r, REPTILE), raw socket listeners, and dedicated daemons such as knockd or fwknopd. Real-world usage includes PROMETHIUM configuring knockd for C2 access, UNC3886 using ICMP-based knocking on FortiGate firewalls, the Mafalda/metaMain implant pair using knocking for inter-implant authentication, and REPTILE malware accepting knock sequences to activate backdoor access.

Microsoft Sentinel / Defender

kusto

// T1205.001 — Port Knocking Detection
// Three detection branches: Linux knockd daemon activity, network knock sequences via firewall logs, and knock client tool execution

// Branch 1: Linux endpoints — knockd/fwknopd daemon syslog messages indicating knock sequences
let KnockdActivity =
Syslog
| where TimeGenerated > ago(24h)
| where ProcessName in ("knockd", "fwknopd")
    or SyslogMessage has_any ("knockd", "fwknop", "knock sequence", "OPEN SESAME", "Opening port", "Stage 1", "correct knock")
| extend DetectionBranch = case(
    SyslogMessage has_any ("Opening port", "OPEN SESAME", "correct knock", "sequence complete"), "KnockSequenceTriggered",
    SyslogMessage has_any ("Stage 1", "Stage 2", "Stage 3"), "KnockSequenceInProgress",
    ProcessName in ("knockd", "fwknopd"), "KnockDaemonRunning",
    "KnockdGeneralActivity"
  )
| project TimeGenerated, Computer, HostName, ProcessName, SyslogMessage, DetectionBranch;

// Branch 2: Network/firewall devices — rapid sequential denied connections to distinct ports
// from same source IP within a tight time window (knock pattern vs port scan differentiation)
let NetworkKnockSequence =
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceAction in~ ("Deny", "Drop", "Block", "Reject", "DENY", "DROP")
| where isnotempty(SourceIP) and isnotempty(DestinationPort)
| summarize
    DistinctPortsHit = dcount(DestinationPort),
    PortSequence = make_set(DestinationPort, 10),
    TotalPackets = count(),
    WindowStart = min(TimeGenerated),
    WindowEnd = max(TimeGenerated)
    by SourceIP, DeviceName, DeviceProduct, bin(TimeGenerated, 1m)
| where DistinctPortsHit between (3 .. 8)   // knock sequences are 3-8 ports — not a full port scan
    and TotalPackets between (3 .. 12)       // low packet count distinguishes knocking from scanning
| extend KnockDurationSec = datetime_diff('second', WindowEnd, WindowStart)
| where KnockDurationSec between (1 .. 30) // tight timing window characteristic of automated knock sequences
| extend DetectionBranch = "RapidSequentialPortsDenied"
| project TimeGenerated = WindowStart, SourceIP, DeviceName, DeviceProduct,
         DistinctPortsHit, PortSequence, TotalPackets, KnockDurationSec, DetectionBranch;

// Branch 3: Endpoint — execution of known port-knocking client tools
let KnockClientTool =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("knock", "knock.exe", "fwknop", "fwknop.exe")
    or (FileName in~ ("hping3", "hping3.exe", "nping") and ProcessCommandLine has_any ("--syn", "-S", "--tcp"))
    or ProcessCommandLine has_any ("--knock-port", "-knock", "/etc/knockd.conf", "knockd.conf")
| extend DetectionBranch = "KnockClientToolExecution"
| project TimeGenerated = Timestamp, Computer = DeviceName, AccountName, FileName,
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;

union kind=outer KnockdActivity, NetworkKnockSequence, KnockClientTool
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Network Traffic: Network Connection Creation Process: Process Creation Firewall: Firewall Rule Modification Linux Syslog

Required Tables

Syslog CommonSecurityLog DeviceProcessEvents

False Positives

Legitimate administrators using knockd or fwknopd to protect SSH access on servers — extremely common on hardened Linux hosts exposed to the internet
Security scanners and vulnerability assessment tools (Nessus, Qualys, Rapid7) that probe multiple ports in sequence during authorized scans
Network monitoring and probing tools that check port availability across a range, which may resemble a knock sequence in firewall deny logs
Developers or sysadmins manually testing firewall rules by attempting connections to multiple ports in succession
Load balancer health checks or service mesh probes that contact multiple backend ports in a brief window

Splunk

spl

| union
  [search (index=linux_logs OR index=syslog) (sourcetype=syslog OR sourcetype=linux_secure)
    (process="knockd" OR process="fwknopd"
     OR message="*knockd*" OR message="*fwknop*"
     OR message="*knock sequence*" OR message="*OPEN SESAME*"
     OR message="*Opening port*" OR message="*Stage 1*" OR message="*correct knock*")
   | eval detection_branch=case(
       match(message, "Opening port|OPEN SESAME|sequence complete|correct knock"), "knock_sequence_triggered",
       match(message, "Stage 1|Stage 2|Stage 3"), "knock_sequence_in_progress",
       match(process, "knockd|fwknopd"), "knock_daemon_running",
       true(), "knockd_general_activity"
     )
   | eval source_ip=coalesce(src_ip, src)
   | table _time, host, process, message, source_ip, detection_branch],
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\knock.exe" OR Image="*\\fwknop.exe"
     OR (Image="*\\hping3.exe" AND (CommandLine="*-S*" OR CommandLine="*--syn*"))
     OR CommandLine="*knockd.conf*" OR CommandLine="*--knock-port*")
   | eval detection_branch="knock_client_tool_execution"
   | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, detection_branch],
  [search (index=firewall OR index=network OR index=paloalto) (action=deny OR action=drop OR action=block OR action=reject)
     isnotnull(src_ip) isnotnull(dest_port)
   | bucket _time span=30s
   | stats dc(dest_port) as distinct_ports, values(dest_port) as port_sequence, count as total_packets,
           min(_time) as window_start, max(_time) as window_end
           by src_ip, _time
   | where distinct_ports >= 3 AND distinct_ports <= 8 AND total_packets >= 3 AND total_packets <= 12
   | eval knock_duration_sec = window_end - window_start
   | where knock_duration_sec <= 30 AND knock_duration_sec >= 1
   | eval detection_branch="rapid_sequential_port_denied"
   | table _time, src_ip, distinct_ports, port_sequence, total_packets, knock_duration_sec, detection_branch]
| sort - _time

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Process: Process Creation Linux Syslog Sysmon Event ID 1 Firewall Deny Logs

Required Sourcetypes

syslog linux_secure XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate administrators using knockd or fwknopd to protect SSH access on hardened Linux hosts — this is a common, legitimate use case
Authorized vulnerability scanners probing multiple ports in sequence during scheduled assessments
Network monitoring tools performing availability checks across multiple service ports
Developer testing of firewall rules by manually attempting connections to multiple ports
Load balancer and service mesh probes that sequentially test backend port availability

Elastic Security (EQL)

eql

// Branch 1: knockd/fwknopd daemon activity on Linux endpoints
sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   (process.name in ("knockd", "fwknopd") or
    process.args : ("*knockd*", "*fwknop*", "*knock sequence*", "*OPEN SESAME*"))]

// Branch 2: knock client tool execution
process where event.type == "start" and
  (process.name in ("knock", "fwknop") or
   (process.name in ("hping3", "nping") and process.args : ("--syn", "-S", "--tcp")) or
   process.args : ("--knock-port", "-knock", "*knockd.conf*"))

// Branch 3: rapid sequential denied connections (network knock pattern)
// Use aggregation query — run separately in Kibana Lens or ES aggregation
// sequence by source.ip with maxspan=30s
//   [network where event.action in ("denied", "dropped", "blocked", "reject") and destination.port > 0]
//   [network where event.action in ("denied", "dropped", "blocked", "reject") and destination.port > 0] with runs=3

high severity medium confidence

Data Sources

Elastic Endpoint (endpoint.events.process) Filebeat syslog module (Linux syslog/auditd) Filebeat network/firewall modules (Palo Alto, Cisco ASA, pfSense) Elastic Agent network events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-system.syslog-* logs-*.firewall-*

False Positives

Legitimate use of knockd by system administrators to protect SSH or management ports on hardened servers — common in home labs and small business environments where port knocking replaces VPN
Security researchers or penetration testers running authorized knock sequences against target systems during red team engagements or firewall rule validation
Automated configuration management tools (Ansible, Chef, Puppet) that trigger knock sequences as part of bootstrapping sequences before opening management ports
hping3 or nping used by network engineers for legitimate bandwidth testing or SYN-based TCP path MTU discovery with multiple sequential probes

IBM QRadar (AQL)

sql

// Branch 1: knockd/fwknopd daemon syslog activity
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  hostname,
  username,
  QIDNAME(qid) AS event_name,
  "message",
  'knock_daemon_activity' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID IN (11 /*Linux Syslog*/, 352 /*Universal DSM*/)
  AND ("message" ILIKE '%knockd%'
    OR "message" ILIKE '%fwknop%'
    OR "message" ILIKE '%knock sequence%'
    OR "message" ILIKE '%OPEN SESAME%'
    OR "message" ILIKE '%Opening port%'
    OR "message" ILIKE '%Stage 1%'
    OR "message" ILIKE '%correct knock%')
  AND LOGSOURCE NOT IN ('trusted_knockd_host_01', 'trusted_knockd_host_02')
LAST 24 HOURS

UNION

// Branch 2: knock client tool process execution (Sysmon or Windows Event 4688)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  hostname,
  username,
  QIDNAME(qid) AS event_name,
  "ApplicationPath" AS process_path,
  'knock_client_execution' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID IN (12 /*Microsoft Windows Security Event Log*/, 367 /*Sysmon*/)
  AND (QIDNAME(qid) ILIKE '%process create%' OR eventid IN (1, 4688))
  AND ("ApplicationPath" ILIKE '%\knock.exe'
    OR "ApplicationPath" ILIKE '%\fwknop.exe'
    OR "ApplicationPath" ILIKE '%\hping3.exe'
    OR "CommandLine" ILIKE '%knockd.conf%'
    OR "CommandLine" ILIKE '%--knock-port%')
LAST 24 HOURS

UNION

// Branch 3: firewall denied sequential port pattern (knock detection)
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS window_start,
  sourceip,
  COUNT(DISTINCT destinationport) AS distinct_ports_hit,
  COUNT(*) AS total_packets,
  LONG(MAX(starttime) - MIN(starttime)) / 1000 AS knock_duration_sec,
  'rapid_sequential_ports_denied' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID IN (5 /*Firewall*/, 6 /*IDS/IPS*/, 15 /*Cisco ASA*/, 28 /*Palo Alto*/)
  AND (devicedirection = 'Inbound' OR devicedirection IS NULL)
  AND ("action" ILIKE '%deny%'
    OR "action" ILIKE '%drop%'
    OR "action" ILIKE '%block%'
    OR "action" ILIKE '%reject%')
  AND sourceip IS NOT NULL
  AND destinationport IS NOT NULL
GROUP BY sourceip, TRUNC(starttime, 30000)
HAVING COUNT(DISTINCT destinationport) BETWEEN 3 AND 8
  AND COUNT(*) BETWEEN 3 AND 12
  AND LONG(MAX(starttime) - MIN(starttime)) / 1000 BETWEEN 1 AND 30
LAST 24 HOURS
ORDER BY window_start DESC

high severity medium confidence

Data Sources

Linux Syslog (QRadar DSM) Microsoft Windows Security Event Log Sysmon for Windows Firewall log sources (Palo Alto, Cisco ASA, pfSense, Check Point) IDS/IPS events

Required Tables

events

False Positives

Authorized use of knockd on hardened Linux servers where sysadmins use port knocking to protect SSH access — generates knock_daemon_activity alerts on every legitimate access attempt
Penetration testing engagements where testers enumerate services using sequential low-packet-count probes that superficially resemble knock sequences in the 3-8 port range
Load balancer health checks or monitoring agents that probe multiple service ports on a backend in rapid succession, appearing as sequential denied probes if any ports are filtered

Sumo Logic CSE

sql

// Branch 1: knockd/fwknopd daemon syslog activity
(_sourceCategory=linux/syslog OR _sourceCategory=linux/secure OR _sourceCategory=os/linux)
| where process matches "knockd" or process matches "fwknopd"
  or message matches "*knockd*" or message matches "*fwknop*"
  or message matches "*knock sequence*" or message matches "*OPEN SESAME*"
  or message matches "*Opening port*" or message matches "*Stage 1*"
  or message matches "*correct knock*"
| if (message matches "Opening port" or message matches "OPEN SESAME"
       or message matches "sequence complete" or message matches "correct knock",
     "knock_sequence_triggered",
   if (message matches "Stage 1" or message matches "Stage 2" or message matches "Stage 3",
     "knock_sequence_in_progress",
   if (process matches "knockd" or process matches "fwknopd",
     "knock_daemon_running",
     "knockd_general_activity"))) as detection_branch
| fields _messageTime, _sourceHost, process, message, detection_branch

// Branch 2: knock client tool execution (Sysmon EventCode=1)
// Run as separate query:
// (_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process)
// | where EventCode = 1
// | where Image matches "*\\knock.exe" or Image matches "*\\fwknop.exe"
//   or Image matches "*\\hping3.exe"
//   or CommandLine matches "*knockd.conf*" or CommandLine matches "*--knock-port*"
// | if (Image matches "*hping3*" and (CommandLine matches "*--syn*" or CommandLine matches "*-S *"),
//     "hping3_syn_knock", "knock_client_execution") as detection_branch
// | fields _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, detection_branch

// Branch 3: firewall sequential denied ports — network knock pattern
// Run as separate query:
// (_sourceCategory=firewall OR _sourceCategory=network/firewall OR _sourceCategory=paloalto)
// | where action matches "*deny*" or action matches "*drop*"
//   or action matches "*block*" or action matches "*reject*"
// | where !isNull(src_ip) and !isNull(dest_port)
// | timeslice 30s
// | stats dcount(dest_port) as distinct_ports,
//         values(dest_port) as port_sequence,
//         count as total_packets,
//         min(_messageTime) as window_start,
//         max(_messageTime) as window_end
//         by src_ip, _timeslice
// | where distinct_ports >= 3 and distinct_ports <= 8
//   and total_packets >= 3 and total_packets <= 12
// | where (window_end - window_start) / 1000 >= 1
//   and (window_end - window_start) / 1000 <= 30
// | "rapid_sequential_ports_denied" as detection_branch
// | fields window_start, src_ip, distinct_ports, port_sequence, total_packets, detection_branch

high severity medium confidence

Data Sources

Linux syslog (Sumo Logic installed collector, syslog source) Sysmon for Windows via Sumo Logic Windows Event Log source Firewall logs (Palo Alto, Cisco ASA, pfSense via Sumo Logic) Cloud SIEM Enterprise normalized events

Required Tables

_sourceCategory=linux/syslog _sourceCategory=windows/sysmon _sourceCategory=firewall _sourceCategory=network/firewall

False Positives

Production Linux servers with knockd legitimately configured for SSH access protection — every successful admin login generates knock_sequence_triggered alerts; these require allowlisting known management hosts
Automated deployment pipelines that include a knock sequence step before opening configuration management ports, causing periodic benign knock_sequence_in_progress alerts during scheduled deployments
Vulnerability scanners (Tenable, Qualys, Rapid7) performing low-intensity service discovery against filtered ports — the low packet count and short duration can match knock sequence thresholds

Google Chronicle / SecOps

yaral

rule t1205_001_port_knocking_daemon_activity {
  meta:
    author = "df00tech"
    description = "Detects T1205.001 port knocking via knockd/fwknopd daemon syslog messages indicating knock sequence receipt or completion"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1205.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1205/001/"
    created = "2026-04-19"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.principal.process.file.full_path = /knockd/ nocase or
      $e.principal.process.file.full_path = /fwknopd/ nocase or
      $e.target.process.file.full_path = /knockd/ nocase or
      $e.target.process.file.full_path = /fwknopd/ nocase
    )
    $host = $e.principal.hostname

  condition:
    $e
}

rule t1205_001_port_knocking_client_execution {
  meta:
    author = "df00tech"
    description = "Detects T1205.001 port knocking via execution of known knock client tools including knock, fwknop, and hping3 with SYN flags"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1205.001"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1205/001/"
    created = "2026-04-19"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.target.process.file.full_path = /\\knock\.exe$/ nocase or
      $e.target.process.file.full_path = /\/knock$/ nocase or
      $e.target.process.file.full_path = /\\fwknop\.exe$/ nocase or
      $e.target.process.file.full_path = /\/fwknop$/ nocase or
      (
        $e.target.process.file.full_path = /hping3/ nocase and
        (
          re.regex($e.target.process.command_line, `--syn`) or
          re.regex($e.target.process.command_line, `\s-S\s`)
        )
      ) or
      re.regex($e.target.process.command_line, `knockd\.conf`) or
      re.regex($e.target.process.command_line, `--knock-port`)
    )
    $host = $e.principal.hostname
    $cmdline = $e.target.process.command_line

  condition:
    $e
}

rule t1205_001_port_knocking_network_sequence {
  meta:
    author = "df00tech"
    description = "Detects T1205.001 port knocking via rapid sequential denied network connections to 3+ distinct ports from same source within 30 seconds"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1205.001"
    severity = "HIGH"
    confidence = "LOW"
    reference = "https://attack.mitre.org/techniques/T1205/001/"
    created = "2026-04-19"

  events:
    $e1.metadata.event_type = "NETWORK_CONNECTION"
    $e1.network.direction = "INBOUND"
    $e1.security_result.action = "BLOCK"
    $e1.principal.ip = $src_ip
    $e1.target.port = $port1

    $e2.metadata.event_type = "NETWORK_CONNECTION"
    $e2.network.direction = "INBOUND"
    $e2.security_result.action = "BLOCK"
    $e2.principal.ip = $src_ip
    $e2.target.port = $port2

    $e3.metadata.event_type = "NETWORK_CONNECTION"
    $e3.network.direction = "INBOUND"
    $e3.security_result.action = "BLOCK"
    $e3.principal.ip = $src_ip
    $e3.target.port = $port3

    $port1 != $port2
    $port2 != $port3
    $port1 != $port3

  match:
    $src_ip over 30s

  condition:
    $e1 and $e2 and $e3
}

high severity medium confidence

Data Sources

Chronicle UDM (Unified Data Model) — endpoint telemetry Chronicle ingested firewall/network logs (Palo Alto, Cisco, Fortinet parsers) Linux process telemetry via Chronicle forwarder or GCP Chronicle agent Windows Sysmon events ingested via Chronicle Windows forwarder

Required Tables

UDM events (PROCESS_LAUNCH) UDM events (NETWORK_CONNECTION)

False Positives

Legitimate knockd deployments on bastion hosts or jump servers where administrators use port knocking as a VPN replacement — daemon process launches and syslog messages are expected and benign in this context
Red team operators performing authorized port knocking tests against client environments during scheduled penetration testing windows — coordinate with SOC to suppress alerts during known engagement periods
Network monitoring tools that generate synthetic probes to 3+ filtered ports as part of availability or reachability checks, triggering the network sequence rule without malicious intent

CrowdStrike LogScale (CQL)

cql

// Branch 1: knock client tool execution via Falcon process telemetry
#event_simpleName = ProcessRollup2
| FileName = /^(knock|knock\.exe|fwknop|fwknop\.exe)$/i
  OR (FileName = /^hping3(?\.exe)?$/i AND CommandLine = /(-S|--syn)/i)
  OR CommandLine = /knockd\.conf/i
  OR CommandLine = /--knock-port/i
| eval detection_branch = "knock_client_tool_execution"
| table([ _time, ComputerName, UserName, FileName, CommandLine,
          ParentBaseFileName, ParentCommandLine, detection_branch ])

// Branch 2: knockd/fwknopd daemon process presence
// Run as separate saved search:
// #event_simpleName = ProcessRollup2
// | FileName = /^(knockd|fwknopd)$/i
//   OR CommandLine = /knockd/i
//   OR CommandLine = /fwknopd/i
// | eval detection_branch = "knock_daemon_running"
// | table([ _time, ComputerName, UserName, FileName, CommandLine,
//           ParentBaseFileName, detection_branch ])

// Branch 3: rapid sequential denied network connections (knock pattern)
// Run as separate saved search:
// #event_simpleName = NetworkConnectIP4
// | LocalPort = *
// | groupBy([ RemoteAddressIP4, ComputerName ],
//     function=[
//       count() as total_packets,
//       count(LocalPort, distinct=true) as distinct_ports,
//       min(_time) as window_start,
//       max(_time) as window_end,
//       collect(LocalPort) as port_sequence
//     ]
//   )
// | eval knock_duration_sec = (window_end - window_start) / 1000
// | where distinct_ports >= 3
//   AND distinct_ports <= 8
//   AND total_packets >= 3
//   AND total_packets <= 12
//   AND knock_duration_sec >= 1
//   AND knock_duration_sec <= 30
// | eval detection_branch = "rapid_sequential_network_knock"
// | table([ window_start, RemoteAddressIP4, ComputerName, distinct_ports,
//           port_sequence, total_packets, knock_duration_sec, detection_branch ])

// Enrichment: correlate knock tool execution with subsequent DNS or outbound network
// #event_simpleName = ProcessRollup2
// | FileName = /^(knock|fwknop)(\.exe)?$/i
// | join type=inner
//   (
//     #event_simpleName = DnsRequest
//     | rename(field=ComputerName, as=dns_host)
//   )
//   where ComputerName = dns_host
// | table([ _time, ComputerName, FileName, CommandLine, DomainName ])

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor — ProcessRollup2 events (Windows, Linux, macOS) CrowdStrike Falcon sensor — NetworkConnectIP4 events CrowdStrike Falcon sensor — DnsRequest events CrowdStrike Falcon sensor — Linux process telemetry (knockd/fwknopd)

Required Tables

ProcessRollup2 NetworkConnectIP4 DnsRequest

False Positives

Authorized IT security teams running knock sequences against their own hardened servers during infrastructure access reviews or post-change verification — FileName and CommandLine will match detection patterns for legitimate knock tool invocations
Developers on security teams who have knock installed as a local utility for accessing personal homelab infrastructure through corporate endpoint sensors, generating low-severity noise in the detection feed
Automated post-exploitation simulation platforms (Atomic Red Team, VECTR, AttackIQ) running T1205.001 atomic tests during scheduled purple team exercises — coordinate suppression windows with the SOC before running test sequences

Last updated: 2026-04-19 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1205.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Port Knocking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections