Detect Port Knocking in CrowdStrike LogScale
Adversaries may use port knocking to conceal open ports used for persistence or command and control. A predefined sequence of connection attempts to closed ports causes the host-based firewall (or custom software) to dynamically open a listening port. Implementations include libpcap-based packet sniffing (cd00r, REPTILE), raw socket listeners, and dedicated daemons such as knockd or fwknopd. Real-world usage includes PROMETHIUM configuring knockd for C2 access, UNC3886 using ICMP-based knocking on FortiGate firewalls, the Mafalda/metaMain implant pair using knocking for inter-implant authentication, and REPTILE malware accepting knock sequences to activate backdoor access.
MITRE ATT&CK
- Technique
- T1205 Traffic Signaling
- Sub-technique
- T1205.001 Port Knocking
- Canonical reference
- https://attack.mitre.org/techniques/T1205/001/
LogScale Detection Query
// Branch 1: knock client tool execution via Falcon process telemetry
#event_simpleName = ProcessRollup2
| FileName = /^(knock|knock\.exe|fwknop|fwknop\.exe)$/i
OR (FileName = /^hping3(?\.exe)?$/i AND CommandLine = /(-S|--syn)/i)
OR CommandLine = /knockd\.conf/i
OR CommandLine = /--knock-port/i
| eval detection_branch = "knock_client_tool_execution"
| table([ _time, ComputerName, UserName, FileName, CommandLine,
ParentBaseFileName, ParentCommandLine, detection_branch ])
// Branch 2: knockd/fwknopd daemon process presence
// Run as separate saved search:
// #event_simpleName = ProcessRollup2
// | FileName = /^(knockd|fwknopd)$/i
// OR CommandLine = /knockd/i
// OR CommandLine = /fwknopd/i
// | eval detection_branch = "knock_daemon_running"
// | table([ _time, ComputerName, UserName, FileName, CommandLine,
// ParentBaseFileName, detection_branch ])
// Branch 3: rapid sequential denied network connections (knock pattern)
// Run as separate saved search:
// #event_simpleName = NetworkConnectIP4
// | LocalPort = *
// | groupBy([ RemoteAddressIP4, ComputerName ],
// function=[
// count() as total_packets,
// count(LocalPort, distinct=true) as distinct_ports,
// min(_time) as window_start,
// max(_time) as window_end,
// collect(LocalPort) as port_sequence
// ]
// )
// | eval knock_duration_sec = (window_end - window_start) / 1000
// | where distinct_ports >= 3
// AND distinct_ports <= 8
// AND total_packets >= 3
// AND total_packets <= 12
// AND knock_duration_sec >= 1
// AND knock_duration_sec <= 30
// | eval detection_branch = "rapid_sequential_network_knock"
// | table([ window_start, RemoteAddressIP4, ComputerName, distinct_ports,
// port_sequence, total_packets, knock_duration_sec, detection_branch ])
// Enrichment: correlate knock tool execution with subsequent DNS or outbound network
// #event_simpleName = ProcessRollup2
// | FileName = /^(knock|fwknop)(\.exe)?$/i
// | join type=inner
// (
// #event_simpleName = DnsRequest
// | rename(field=ComputerName, as=dns_host)
// )
// where ComputerName = dns_host
// | table([ _time, ComputerName, FileName, CommandLine, DomainName ])Detects T1205.001 port knocking via three CrowdStrike LogScale CQL branches: (1) ProcessRollup2 events matching knock, fwknop, hping3 (with SYN flags) binary names or command-line patterns for knockd.conf and --knock-port arguments — high confidence Falcon process telemetry covering Windows and macOS endpoints; (2) knockd/fwknopd daemon process presence indicating configured port knocking infrastructure on Linux via Falcon sensor; (3) NetworkConnectIP4 event aggregation identifying rapid sequences of 3-8 distinct port connections from a single remote IP within 30 seconds with low total packet count distinguishing knocking from scanning. Optional correlation join links knock tool execution to subsequent DNS activity for C2 chain analysis.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT security teams running knock sequences against their own hardened servers during infrastructure access reviews or post-change verification — FileName and CommandLine will match detection patterns for legitimate knock tool invocations
- Developers on security teams who have knock installed as a local utility for accessing personal homelab infrastructure through corporate endpoint sensors, generating low-severity noise in the detection feed
- Automated post-exploitation simulation platforms (Atomic Red Team, VECTR, AttackIQ) running T1205.001 atomic tests during scheduled purple team exercises — coordinate suppression windows with the SOC before running test sequences
Other platforms for T1205.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install and Configure knockd Daemon on Linux
Expected signal: Syslog entries from knockd daemon: '<timestamp> <host> knockd: Starting...' and 'knockd: listening on lo'. Package manager log entries in /var/log/dpkg.log or /var/log/yum.log for knockd installation. Auditd execve events for apt-get/yum and knockd process creation. File creation event for /tmp/knockd-test.conf. If using MDE Linux agent: DeviceProcessEvents with FileName=knockd.
- Test 2Send Port Knock Sequence Using knock Client
Expected signal: DeviceProcessEvents (MDE Linux agent): FileName=knock, ProcessCommandLine='knock 127.0.0.1 7000 8000 9000 -v'. Sysmon for Linux Event ID 3 (if deployed): three outbound network connections to 127.0.0.1 on ports 7000, 8000, 9000. Network flow logs will show three SYN packets with no SYN-ACK response (ports are closed), followed optionally by a successful connection to port 4444 if knockd is configured.
- Test 3Simulate Port Knock Using hping3 Crafted SYN Packets
Expected signal: DeviceProcessEvents: four invocations of hping3 with -S flag and different -p port values. Each hping3 execution creates a raw socket (AF_PACKET or SOCK_RAW) visible in auditd socket syscall events. Network flow: four SYN packets to 127.0.0.1 on ports 200, 80, 22, 53 in rapid succession — matches the exact cd00r default knock sequence documented in the MITRE reference.
- Test 4Simulate Port Knock Sequence from Windows Using PowerShell TCP Connections
Expected signal: Sysmon Event ID 3 (Network Connection): three network connection events from powershell.exe to 127.0.0.1 on ports 7000, 8000, 9000 within 500ms. DeviceNetworkEvents in MDE: three ConnectionFailed events from PowerShell to localhost. DeviceProcessEvents: powershell.exe with CommandLine containing 'TcpClient' and the port numbers. Windows Filtering Platform (WFP) audit log may capture the refused connection attempts.
References (8)
- https://attack.mitre.org/techniques/T1205/001/
- https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
- https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-uses-fortigate-fortimanager-zero-day
- https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
- https://github.com/jvinet/knock
- https://www.cipherdyne.org/fwknop/
- https://github.com/moxie0/knockknock
Unlock Pro Content
Get the full detection package for T1205.001 including response playbook, investigation guide, and atomic red team tests.