Detect Port Knocking in Sumo Logic CSE
Adversaries may use port knocking to conceal open ports used for persistence or command and control. A predefined sequence of connection attempts to closed ports causes the host-based firewall (or custom software) to dynamically open a listening port. Implementations include libpcap-based packet sniffing (cd00r, REPTILE), raw socket listeners, and dedicated daemons such as knockd or fwknopd. Real-world usage includes PROMETHIUM configuring knockd for C2 access, UNC3886 using ICMP-based knocking on FortiGate firewalls, the Mafalda/metaMain implant pair using knocking for inter-implant authentication, and REPTILE malware accepting knock sequences to activate backdoor access.
MITRE ATT&CK
- Technique
- T1205 Traffic Signaling
- Sub-technique
- T1205.001 Port Knocking
- Canonical reference
- https://attack.mitre.org/techniques/T1205/001/
Sumo Detection Query
// Branch 1: knockd/fwknopd daemon syslog activity
(_sourceCategory=linux/syslog OR _sourceCategory=linux/secure OR _sourceCategory=os/linux)
| where process matches "knockd" or process matches "fwknopd"
or message matches "*knockd*" or message matches "*fwknop*"
or message matches "*knock sequence*" or message matches "*OPEN SESAME*"
or message matches "*Opening port*" or message matches "*Stage 1*"
or message matches "*correct knock*"
| if (message matches "Opening port" or message matches "OPEN SESAME"
or message matches "sequence complete" or message matches "correct knock",
"knock_sequence_triggered",
if (message matches "Stage 1" or message matches "Stage 2" or message matches "Stage 3",
"knock_sequence_in_progress",
if (process matches "knockd" or process matches "fwknopd",
"knock_daemon_running",
"knockd_general_activity"))) as detection_branch
| fields _messageTime, _sourceHost, process, message, detection_branch
// Branch 2: knock client tool execution (Sysmon EventCode=1)
// Run as separate query:
// (_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process)
// | where EventCode = 1
// | where Image matches "*\\knock.exe" or Image matches "*\\fwknop.exe"
// or Image matches "*\\hping3.exe"
// or CommandLine matches "*knockd.conf*" or CommandLine matches "*--knock-port*"
// | if (Image matches "*hping3*" and (CommandLine matches "*--syn*" or CommandLine matches "*-S *"),
// "hping3_syn_knock", "knock_client_execution") as detection_branch
// | fields _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, detection_branch
// Branch 3: firewall sequential denied ports — network knock pattern
// Run as separate query:
// (_sourceCategory=firewall OR _sourceCategory=network/firewall OR _sourceCategory=paloalto)
// | where action matches "*deny*" or action matches "*drop*"
// or action matches "*block*" or action matches "*reject*"
// | where !isNull(src_ip) and !isNull(dest_port)
// | timeslice 30s
// | stats dcount(dest_port) as distinct_ports,
// values(dest_port) as port_sequence,
// count as total_packets,
// min(_messageTime) as window_start,
// max(_messageTime) as window_end
// by src_ip, _timeslice
// | where distinct_ports >= 3 and distinct_ports <= 8
// and total_packets >= 3 and total_packets <= 12
// | where (window_end - window_start) / 1000 >= 1
// and (window_end - window_start) / 1000 <= 30
// | "rapid_sequential_ports_denied" as detection_branch
// | fields window_start, src_ip, distinct_ports, port_sequence, total_packets, detection_branchDetects port knocking activity via three Sumo Logic search branches: Linux syslog pattern matching for knockd/fwknopd process names and characteristic log messages (knock sequence triggers, stage progression, OPEN SESAME), Sysmon process creation events for knock client tool execution, and firewall log aggregation using timeslice to identify rapid sequential denied connections to 3-8 distinct ports within 30 seconds from one source. Detection branch tagging enables SIEM correlation and analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Production Linux servers with knockd legitimately configured for SSH access protection — every successful admin login generates knock_sequence_triggered alerts; these require allowlisting known management hosts
- Automated deployment pipelines that include a knock sequence step before opening configuration management ports, causing periodic benign knock_sequence_in_progress alerts during scheduled deployments
- Vulnerability scanners (Tenable, Qualys, Rapid7) performing low-intensity service discovery against filtered ports — the low packet count and short duration can match knock sequence thresholds
Other platforms for T1205.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install and Configure knockd Daemon on Linux
Expected signal: Syslog entries from knockd daemon: '<timestamp> <host> knockd: Starting...' and 'knockd: listening on lo'. Package manager log entries in /var/log/dpkg.log or /var/log/yum.log for knockd installation. Auditd execve events for apt-get/yum and knockd process creation. File creation event for /tmp/knockd-test.conf. If using MDE Linux agent: DeviceProcessEvents with FileName=knockd.
- Test 2Send Port Knock Sequence Using knock Client
Expected signal: DeviceProcessEvents (MDE Linux agent): FileName=knock, ProcessCommandLine='knock 127.0.0.1 7000 8000 9000 -v'. Sysmon for Linux Event ID 3 (if deployed): three outbound network connections to 127.0.0.1 on ports 7000, 8000, 9000. Network flow logs will show three SYN packets with no SYN-ACK response (ports are closed), followed optionally by a successful connection to port 4444 if knockd is configured.
- Test 3Simulate Port Knock Using hping3 Crafted SYN Packets
Expected signal: DeviceProcessEvents: four invocations of hping3 with -S flag and different -p port values. Each hping3 execution creates a raw socket (AF_PACKET or SOCK_RAW) visible in auditd socket syscall events. Network flow: four SYN packets to 127.0.0.1 on ports 200, 80, 22, 53 in rapid succession — matches the exact cd00r default knock sequence documented in the MITRE reference.
- Test 4Simulate Port Knock Sequence from Windows Using PowerShell TCP Connections
Expected signal: Sysmon Event ID 3 (Network Connection): three network connection events from powershell.exe to 127.0.0.1 on ports 7000, 8000, 9000 within 500ms. DeviceNetworkEvents in MDE: three ConnectionFailed events from PowerShell to localhost. DeviceProcessEvents: powershell.exe with CommandLine containing 'TcpClient' and the port numbers. Windows Filtering Platform (WFP) audit log may capture the refused connection attempts.
References (8)
- https://attack.mitre.org/techniques/T1205/001/
- https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
- https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-uses-fortigate-fortimanager-zero-day
- https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
- https://github.com/jvinet/knock
- https://www.cipherdyne.org/fwknop/
- https://github.com/moxie0/knockknock
Unlock Pro Content
Get the full detection package for T1205.001 including response playbook, investigation guide, and atomic red team tests.