T1205.001 Splunk · SPL

Detect Port Knocking in Splunk

Adversaries may use port knocking to conceal open ports used for persistence or command and control. A predefined sequence of connection attempts to closed ports causes the host-based firewall (or custom software) to dynamically open a listening port. Implementations include libpcap-based packet sniffing (cd00r, REPTILE), raw socket listeners, and dedicated daemons such as knockd or fwknopd. Real-world usage includes PROMETHIUM configuring knockd for C2 access, UNC3886 using ICMP-based knocking on FortiGate firewalls, the Mafalda/metaMain implant pair using knocking for inter-implant authentication, and REPTILE malware accepting knock sequences to activate backdoor access.

MITRE ATT&CK

Tactic
Defense Evasion Persistence Command and Control
Technique
T1205 Traffic Signaling
Sub-technique
T1205.001 Port Knocking
Canonical reference
https://attack.mitre.org/techniques/T1205/001/

SPL Detection Query

Splunk (SPL)
spl 
| union
  [search (index=linux_logs OR index=syslog) (sourcetype=syslog OR sourcetype=linux_secure)
    (process="knockd" OR process="fwknopd"
     OR message="*knockd*" OR message="*fwknop*"
     OR message="*knock sequence*" OR message="*OPEN SESAME*"
     OR message="*Opening port*" OR message="*Stage 1*" OR message="*correct knock*")
   | eval detection_branch=case(
       match(message, "Opening port|OPEN SESAME|sequence complete|correct knock"), "knock_sequence_triggered",
       match(message, "Stage 1|Stage 2|Stage 3"), "knock_sequence_in_progress",
       match(process, "knockd|fwknopd"), "knock_daemon_running",
       true(), "knockd_general_activity"
     )
   | eval source_ip=coalesce(src_ip, src)
   | table _time, host, process, message, source_ip, detection_branch],
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\knock.exe" OR Image="*\\fwknop.exe"
     OR (Image="*\\hping3.exe" AND (CommandLine="*-S*" OR CommandLine="*--syn*"))
     OR CommandLine="*knockd.conf*" OR CommandLine="*--knock-port*")
   | eval detection_branch="knock_client_tool_execution"
   | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, detection_branch],
  [search (index=firewall OR index=network OR index=paloalto) (action=deny OR action=drop OR action=block OR action=reject)
     isnotnull(src_ip) isnotnull(dest_port)
   | bucket _time span=30s
   | stats dc(dest_port) as distinct_ports, values(dest_port) as port_sequence, count as total_packets,
           min(_time) as window_start, max(_time) as window_end
           by src_ip, _time
   | where distinct_ports >= 3 AND distinct_ports <= 8 AND total_packets >= 3 AND total_packets <= 12
   | eval knock_duration_sec = window_end - window_start
   | where knock_duration_sec <= 30 AND knock_duration_sec >= 1
   | eval detection_branch="rapid_sequential_port_denied"
   | table _time, src_ip, distinct_ports, port_sequence, total_packets, knock_duration_sec, detection_branch]
| sort - _time
high severity medium confidence

Three-branch port knocking detection using Splunk union across Linux syslog, Windows Sysmon, and firewall/network logs. Branch 1 detects knockd/fwknopd daemon activity in Linux syslog including specific log messages for sequence progression and port-open triggers. Branch 2 identifies known knock client tool execution (knock.exe, fwknop.exe, hping3 with SYN flags) via Sysmon Event ID 1. Branch 3 performs statistical analysis on firewall deny logs to identify the rapid 3–8 distinct-port hit pattern within 30 seconds that characterizes automated knock sequences, distinguishing them from port scans by total packet count and timing.

Data Sources

Network Traffic: Network Traffic FlowProcess: Process CreationLinux SyslogSysmon Event ID 1Firewall Deny Logs

Required Sourcetypes

sysloglinux_secureXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate administrators using knockd or fwknopd to protect SSH access on hardened Linux hosts — this is a common, legitimate use case
  • Authorized vulnerability scanners probing multiple ports in sequence during scheduled assessments
  • Network monitoring tools performing availability checks across multiple service ports
  • Developer testing of firewall rules by manually attempting connections to multiple ports
  • Load balancer and service mesh probes that sequentially test backend port availability
Download portable Sigma rule (.yml)

Other platforms for T1205.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Install and Configure knockd Daemon on Linux

    Expected signal: Syslog entries from knockd daemon: '<timestamp> <host> knockd: Starting...' and 'knockd: listening on lo'. Package manager log entries in /var/log/dpkg.log or /var/log/yum.log for knockd installation. Auditd execve events for apt-get/yum and knockd process creation. File creation event for /tmp/knockd-test.conf. If using MDE Linux agent: DeviceProcessEvents with FileName=knockd.

  2. Test 2Send Port Knock Sequence Using knock Client

    Expected signal: DeviceProcessEvents (MDE Linux agent): FileName=knock, ProcessCommandLine='knock 127.0.0.1 7000 8000 9000 -v'. Sysmon for Linux Event ID 3 (if deployed): three outbound network connections to 127.0.0.1 on ports 7000, 8000, 9000. Network flow logs will show three SYN packets with no SYN-ACK response (ports are closed), followed optionally by a successful connection to port 4444 if knockd is configured.

  3. Test 3Simulate Port Knock Using hping3 Crafted SYN Packets

    Expected signal: DeviceProcessEvents: four invocations of hping3 with -S flag and different -p port values. Each hping3 execution creates a raw socket (AF_PACKET or SOCK_RAW) visible in auditd socket syscall events. Network flow: four SYN packets to 127.0.0.1 on ports 200, 80, 22, 53 in rapid succession — matches the exact cd00r default knock sequence documented in the MITRE reference.

  4. Test 4Simulate Port Knock Sequence from Windows Using PowerShell TCP Connections

    Expected signal: Sysmon Event ID 3 (Network Connection): three network connection events from powershell.exe to 127.0.0.1 on ports 7000, 8000, 9000 within 500ms. DeviceNetworkEvents in MDE: three ConnectionFailed events from PowerShell to localhost. DeviceProcessEvents: powershell.exe with CommandLine containing 'TcpClient' and the port numbers. Windows Filtering Platform (WFP) audit log may capture the refused connection attempts.

Last updated: 2026-04-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1205.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1205Traffic Signaling

Related Sub-techniques

T1205.002Socket Filters

Related Techniques

T1205Traffic SignalingT1205.002Socket FiltersT1571Non-Standard PortT1090ProxyT1133External Remote ServicesT1543.002Systemd ServiceT1562.004Disable or Modify System FirewallT1014RootkitT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections