Detect Port Knocking in Google Chronicle
Adversaries may use port knocking to conceal open ports used for persistence or command and control. A predefined sequence of connection attempts to closed ports causes the host-based firewall (or custom software) to dynamically open a listening port. Implementations include libpcap-based packet sniffing (cd00r, REPTILE), raw socket listeners, and dedicated daemons such as knockd or fwknopd. Real-world usage includes PROMETHIUM configuring knockd for C2 access, UNC3886 using ICMP-based knocking on FortiGate firewalls, the Mafalda/metaMain implant pair using knocking for inter-implant authentication, and REPTILE malware accepting knock sequences to activate backdoor access.
MITRE ATT&CK
- Technique
- T1205 Traffic Signaling
- Sub-technique
- T1205.001 Port Knocking
- Canonical reference
- https://attack.mitre.org/techniques/T1205/001/
YARA-L Detection Query
rule t1205_001_port_knocking_daemon_activity {
meta:
author = "df00tech"
description = "Detects T1205.001 port knocking via knockd/fwknopd daemon syslog messages indicating knock sequence receipt or completion"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1205.001"
severity = "HIGH"
confidence = "MEDIUM"
reference = "https://attack.mitre.org/techniques/T1205/001/"
created = "2026-04-19"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
$e.principal.process.file.full_path = /knockd/ nocase or
$e.principal.process.file.full_path = /fwknopd/ nocase or
$e.target.process.file.full_path = /knockd/ nocase or
$e.target.process.file.full_path = /fwknopd/ nocase
)
$host = $e.principal.hostname
condition:
$e
}
rule t1205_001_port_knocking_client_execution {
meta:
author = "df00tech"
description = "Detects T1205.001 port knocking via execution of known knock client tools including knock, fwknop, and hping3 with SYN flags"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1205.001"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1205/001/"
created = "2026-04-19"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
$e.target.process.file.full_path = /\\knock\.exe$/ nocase or
$e.target.process.file.full_path = /\/knock$/ nocase or
$e.target.process.file.full_path = /\\fwknop\.exe$/ nocase or
$e.target.process.file.full_path = /\/fwknop$/ nocase or
(
$e.target.process.file.full_path = /hping3/ nocase and
(
re.regex($e.target.process.command_line, `--syn`) or
re.regex($e.target.process.command_line, `\s-S\s`)
)
) or
re.regex($e.target.process.command_line, `knockd\.conf`) or
re.regex($e.target.process.command_line, `--knock-port`)
)
$host = $e.principal.hostname
$cmdline = $e.target.process.command_line
condition:
$e
}
rule t1205_001_port_knocking_network_sequence {
meta:
author = "df00tech"
description = "Detects T1205.001 port knocking via rapid sequential denied network connections to 3+ distinct ports from same source within 30 seconds"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1205.001"
severity = "HIGH"
confidence = "LOW"
reference = "https://attack.mitre.org/techniques/T1205/001/"
created = "2026-04-19"
events:
$e1.metadata.event_type = "NETWORK_CONNECTION"
$e1.network.direction = "INBOUND"
$e1.security_result.action = "BLOCK"
$e1.principal.ip = $src_ip
$e1.target.port = $port1
$e2.metadata.event_type = "NETWORK_CONNECTION"
$e2.network.direction = "INBOUND"
$e2.security_result.action = "BLOCK"
$e2.principal.ip = $src_ip
$e2.target.port = $port2
$e3.metadata.event_type = "NETWORK_CONNECTION"
$e3.network.direction = "INBOUND"
$e3.security_result.action = "BLOCK"
$e3.principal.ip = $src_ip
$e3.target.port = $port3
$port1 != $port2
$port2 != $port3
$port1 != $port3
match:
$src_ip over 30s
condition:
$e1 and $e2 and $e3
}Three Chronicle YARA-L 2.0 rules detecting T1205.001 port knocking: (1) knockd/fwknopd daemon process launch events on Linux hosts indicating knock daemon presence, (2) knock client tool execution (knock, fwknop, hping3 with SYN flags, knockd.conf command lines) on any endpoint, and (3) network-level detection of rapid sequential denied inbound connections to 3+ distinct ports from the same source IP within a 30-second window using UDM NETWORK_CONNECTION events with BLOCK action. Rule 3 has low confidence due to Chronicle's per-rule event type constraints limiting port count aggregation compared to SPL/KQL.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate knockd deployments on bastion hosts or jump servers where administrators use port knocking as a VPN replacement — daemon process launches and syslog messages are expected and benign in this context
- Red team operators performing authorized port knocking tests against client environments during scheduled penetration testing windows — coordinate with SOC to suppress alerts during known engagement periods
- Network monitoring tools that generate synthetic probes to 3+ filtered ports as part of availability or reachability checks, triggering the network sequence rule without malicious intent
Other platforms for T1205.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install and Configure knockd Daemon on Linux
Expected signal: Syslog entries from knockd daemon: '<timestamp> <host> knockd: Starting...' and 'knockd: listening on lo'. Package manager log entries in /var/log/dpkg.log or /var/log/yum.log for knockd installation. Auditd execve events for apt-get/yum and knockd process creation. File creation event for /tmp/knockd-test.conf. If using MDE Linux agent: DeviceProcessEvents with FileName=knockd.
- Test 2Send Port Knock Sequence Using knock Client
Expected signal: DeviceProcessEvents (MDE Linux agent): FileName=knock, ProcessCommandLine='knock 127.0.0.1 7000 8000 9000 -v'. Sysmon for Linux Event ID 3 (if deployed): three outbound network connections to 127.0.0.1 on ports 7000, 8000, 9000. Network flow logs will show three SYN packets with no SYN-ACK response (ports are closed), followed optionally by a successful connection to port 4444 if knockd is configured.
- Test 3Simulate Port Knock Using hping3 Crafted SYN Packets
Expected signal: DeviceProcessEvents: four invocations of hping3 with -S flag and different -p port values. Each hping3 execution creates a raw socket (AF_PACKET or SOCK_RAW) visible in auditd socket syscall events. Network flow: four SYN packets to 127.0.0.1 on ports 200, 80, 22, 53 in rapid succession — matches the exact cd00r default knock sequence documented in the MITRE reference.
- Test 4Simulate Port Knock Sequence from Windows Using PowerShell TCP Connections
Expected signal: Sysmon Event ID 3 (Network Connection): three network connection events from powershell.exe to 127.0.0.1 on ports 7000, 8000, 9000 within 500ms. DeviceNetworkEvents in MDE: three ConnectionFailed events from PowerShell to localhost. DeviceProcessEvents: powershell.exe with CommandLine containing 'TcpClient' and the port numbers. Windows Filtering Platform (WFP) audit log may capture the refused connection attempts.
References (8)
- https://attack.mitre.org/techniques/T1205/001/
- https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
- https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-uses-fortigate-fortimanager-zero-day
- https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
- https://github.com/jvinet/knock
- https://www.cipherdyne.org/fwknop/
- https://github.com/moxie0/knockknock
Unlock Pro Content
Get the full detection package for T1205.001 including response playbook, investigation guide, and atomic red team tests.