Detect Port Knocking in Elastic Security
Adversaries may use port knocking to conceal open ports used for persistence or command and control. A predefined sequence of connection attempts to closed ports causes the host-based firewall (or custom software) to dynamically open a listening port. Implementations include libpcap-based packet sniffing (cd00r, REPTILE), raw socket listeners, and dedicated daemons such as knockd or fwknopd. Real-world usage includes PROMETHIUM configuring knockd for C2 access, UNC3886 using ICMP-based knocking on FortiGate firewalls, the Mafalda/metaMain implant pair using knocking for inter-implant authentication, and REPTILE malware accepting knock sequences to activate backdoor access.
MITRE ATT&CK
- Technique
- T1205 Traffic Signaling
- Sub-technique
- T1205.001 Port Knocking
- Canonical reference
- https://attack.mitre.org/techniques/T1205/001/
Elastic Detection Query
// Branch 1: knockd/fwknopd daemon activity on Linux endpoints
sequence by host.name with maxspan=5m
[process where event.type == "start" and
(process.name in ("knockd", "fwknopd") or
process.args : ("*knockd*", "*fwknop*", "*knock sequence*", "*OPEN SESAME*"))]
// Branch 2: knock client tool execution
process where event.type == "start" and
(process.name in ("knock", "fwknop") or
(process.name in ("hping3", "nping") and process.args : ("--syn", "-S", "--tcp")) or
process.args : ("--knock-port", "-knock", "*knockd.conf*"))
// Branch 3: rapid sequential denied connections (network knock pattern)
// Use aggregation query — run separately in Kibana Lens or ES aggregation
// sequence by source.ip with maxspan=30s
// [network where event.action in ("denied", "dropped", "blocked", "reject") and destination.port > 0]
// [network where event.action in ("denied", "dropped", "blocked", "reject") and destination.port > 0] with runs=3Detects port knocking activity via three branches: knockd/fwknopd daemon syslog messages indicating knock sequence processing, execution of known knock client tools (knock, fwknop, hping3 with SYN flags), and rapid sequential denied connections from a single source IP to 3-8 distinct ports within 30 seconds. Covers Linux-based knockd configurations, REPTILE-style raw socket implementations, and adversary use of standalone knock clients.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate use of knockd by system administrators to protect SSH or management ports on hardened servers — common in home labs and small business environments where port knocking replaces VPN
- Security researchers or penetration testers running authorized knock sequences against target systems during red team engagements or firewall rule validation
- Automated configuration management tools (Ansible, Chef, Puppet) that trigger knock sequences as part of bootstrapping sequences before opening management ports
- hping3 or nping used by network engineers for legitimate bandwidth testing or SYN-based TCP path MTU discovery with multiple sequential probes
Other platforms for T1205.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install and Configure knockd Daemon on Linux
Expected signal: Syslog entries from knockd daemon: '<timestamp> <host> knockd: Starting...' and 'knockd: listening on lo'. Package manager log entries in /var/log/dpkg.log or /var/log/yum.log for knockd installation. Auditd execve events for apt-get/yum and knockd process creation. File creation event for /tmp/knockd-test.conf. If using MDE Linux agent: DeviceProcessEvents with FileName=knockd.
- Test 2Send Port Knock Sequence Using knock Client
Expected signal: DeviceProcessEvents (MDE Linux agent): FileName=knock, ProcessCommandLine='knock 127.0.0.1 7000 8000 9000 -v'. Sysmon for Linux Event ID 3 (if deployed): three outbound network connections to 127.0.0.1 on ports 7000, 8000, 9000. Network flow logs will show three SYN packets with no SYN-ACK response (ports are closed), followed optionally by a successful connection to port 4444 if knockd is configured.
- Test 3Simulate Port Knock Using hping3 Crafted SYN Packets
Expected signal: DeviceProcessEvents: four invocations of hping3 with -S flag and different -p port values. Each hping3 execution creates a raw socket (AF_PACKET or SOCK_RAW) visible in auditd socket syscall events. Network flow: four SYN packets to 127.0.0.1 on ports 200, 80, 22, 53 in rapid succession — matches the exact cd00r default knock sequence documented in the MITRE reference.
- Test 4Simulate Port Knock Sequence from Windows Using PowerShell TCP Connections
Expected signal: Sysmon Event ID 3 (Network Connection): three network connection events from powershell.exe to 127.0.0.1 on ports 7000, 8000, 9000 within 500ms. DeviceNetworkEvents in MDE: three ConnectionFailed events from PowerShell to localhost. DeviceProcessEvents: powershell.exe with CommandLine containing 'TcpClient' and the port numbers. Windows Filtering Platform (WFP) audit log may capture the refused connection attempts.
References (8)
- https://attack.mitre.org/techniques/T1205/001/
- https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
- https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-uses-fortigate-fortimanager-zero-day
- https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
- https://github.com/jvinet/knock
- https://www.cipherdyne.org/fwknop/
- https://github.com/moxie0/knockknock
Unlock Pro Content
Get the full detection package for T1205.001 including response playbook, investigation guide, and atomic red team tests.