T1205.001 IBM QRadar · QRadar

Detect Port Knocking in IBM QRadar

Adversaries may use port knocking to conceal open ports used for persistence or command and control. A predefined sequence of connection attempts to closed ports causes the host-based firewall (or custom software) to dynamically open a listening port. Implementations include libpcap-based packet sniffing (cd00r, REPTILE), raw socket listeners, and dedicated daemons such as knockd or fwknopd. Real-world usage includes PROMETHIUM configuring knockd for C2 access, UNC3886 using ICMP-based knocking on FortiGate firewalls, the Mafalda/metaMain implant pair using knocking for inter-implant authentication, and REPTILE malware accepting knock sequences to activate backdoor access.

MITRE ATT&CK

Tactic
Defense Evasion Persistence Command and Control
Technique
T1205 Traffic Signaling
Sub-technique
T1205.001 Port Knocking
Canonical reference
https://attack.mitre.org/techniques/T1205/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
// Branch 1: knockd/fwknopd daemon syslog activity
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  hostname,
  username,
  QIDNAME(qid) AS event_name,
  "message",
  'knock_daemon_activity' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID IN (11 /*Linux Syslog*/, 352 /*Universal DSM*/)
  AND ("message" ILIKE '%knockd%'
    OR "message" ILIKE '%fwknop%'
    OR "message" ILIKE '%knock sequence%'
    OR "message" ILIKE '%OPEN SESAME%'
    OR "message" ILIKE '%Opening port%'
    OR "message" ILIKE '%Stage 1%'
    OR "message" ILIKE '%correct knock%')
  AND LOGSOURCE NOT IN ('trusted_knockd_host_01', 'trusted_knockd_host_02')
LAST 24 HOURS

UNION

// Branch 2: knock client tool process execution (Sysmon or Windows Event 4688)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  hostname,
  username,
  QIDNAME(qid) AS event_name,
  "ApplicationPath" AS process_path,
  'knock_client_execution' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID IN (12 /*Microsoft Windows Security Event Log*/, 367 /*Sysmon*/)
  AND (QIDNAME(qid) ILIKE '%process create%' OR eventid IN (1, 4688))
  AND ("ApplicationPath" ILIKE '%\knock.exe'
    OR "ApplicationPath" ILIKE '%\fwknop.exe'
    OR "ApplicationPath" ILIKE '%\hping3.exe'
    OR "CommandLine" ILIKE '%knockd.conf%'
    OR "CommandLine" ILIKE '%--knock-port%')
LAST 24 HOURS

UNION

// Branch 3: firewall denied sequential port pattern (knock detection)
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS window_start,
  sourceip,
  COUNT(DISTINCT destinationport) AS distinct_ports_hit,
  COUNT(*) AS total_packets,
  LONG(MAX(starttime) - MIN(starttime)) / 1000 AS knock_duration_sec,
  'rapid_sequential_ports_denied' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID IN (5 /*Firewall*/, 6 /*IDS/IPS*/, 15 /*Cisco ASA*/, 28 /*Palo Alto*/)
  AND (devicedirection = 'Inbound' OR devicedirection IS NULL)
  AND ("action" ILIKE '%deny%'
    OR "action" ILIKE '%drop%'
    OR "action" ILIKE '%block%'
    OR "action" ILIKE '%reject%')
  AND sourceip IS NOT NULL
  AND destinationport IS NOT NULL
GROUP BY sourceip, TRUNC(starttime, 30000)
HAVING COUNT(DISTINCT destinationport) BETWEEN 3 AND 8
  AND COUNT(*) BETWEEN 3 AND 12
  AND LONG(MAX(starttime) - MIN(starttime)) / 1000 BETWEEN 1 AND 30
LAST 24 HOURS
ORDER BY window_start DESC
high severity medium confidence

Detects port knocking activity across three AQL branches: Linux syslog messages from knockd/fwknopd daemons indicating knock sequence processing or completion, Windows/Sysmon process creation events for known knock client tools (knock.exe, fwknop.exe, hping3.exe with SYN flags), and firewall deny log aggregation identifying 3-8 distinct ports hit within 30 seconds from the same source IP with low total packet count — the hallmark of automated knock sequences versus noisy port scans.

Data Sources

Linux Syslog (QRadar DSM)Microsoft Windows Security Event LogSysmon for WindowsFirewall log sources (Palo Alto, Cisco ASA, pfSense, Check Point)IDS/IPS events

Required Tables

events

False Positives & Tuning

  • Authorized use of knockd on hardened Linux servers where sysadmins use port knocking to protect SSH access — generates knock_daemon_activity alerts on every legitimate access attempt
  • Penetration testing engagements where testers enumerate services using sequential low-packet-count probes that superficially resemble knock sequences in the 3-8 port range
  • Load balancer health checks or monitoring agents that probe multiple service ports on a backend in rapid succession, appearing as sequential denied probes if any ports are filtered
Download portable Sigma rule (.yml)

Other platforms for T1205.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Install and Configure knockd Daemon on Linux

    Expected signal: Syslog entries from knockd daemon: '<timestamp> <host> knockd: Starting...' and 'knockd: listening on lo'. Package manager log entries in /var/log/dpkg.log or /var/log/yum.log for knockd installation. Auditd execve events for apt-get/yum and knockd process creation. File creation event for /tmp/knockd-test.conf. If using MDE Linux agent: DeviceProcessEvents with FileName=knockd.

  2. Test 2Send Port Knock Sequence Using knock Client

    Expected signal: DeviceProcessEvents (MDE Linux agent): FileName=knock, ProcessCommandLine='knock 127.0.0.1 7000 8000 9000 -v'. Sysmon for Linux Event ID 3 (if deployed): three outbound network connections to 127.0.0.1 on ports 7000, 8000, 9000. Network flow logs will show three SYN packets with no SYN-ACK response (ports are closed), followed optionally by a successful connection to port 4444 if knockd is configured.

  3. Test 3Simulate Port Knock Using hping3 Crafted SYN Packets

    Expected signal: DeviceProcessEvents: four invocations of hping3 with -S flag and different -p port values. Each hping3 execution creates a raw socket (AF_PACKET or SOCK_RAW) visible in auditd socket syscall events. Network flow: four SYN packets to 127.0.0.1 on ports 200, 80, 22, 53 in rapid succession — matches the exact cd00r default knock sequence documented in the MITRE reference.

  4. Test 4Simulate Port Knock Sequence from Windows Using PowerShell TCP Connections

    Expected signal: Sysmon Event ID 3 (Network Connection): three network connection events from powershell.exe to 127.0.0.1 on ports 7000, 8000, 9000 within 500ms. DeviceNetworkEvents in MDE: three ConnectionFailed events from PowerShell to localhost. DeviceProcessEvents: powershell.exe with CommandLine containing 'TcpClient' and the port numbers. Windows Filtering Platform (WFP) audit log may capture the refused connection attempts.

Last updated: 2026-04-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1205.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1205Traffic Signaling

Related Sub-techniques

T1205.002Socket Filters

Related Techniques

T1205Traffic SignalingT1205.002Socket FiltersT1571Non-Standard PortT1090ProxyT1133External Remote ServicesT1543.002Systemd ServiceT1562.004Disable or Modify System FirewallT1014RootkitT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections