Detect Traffic Signaling in Elastic Security
Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence—such as a specific string in a packet, a sequence of connection attempts to closed ports (port knocking), or a Wake-on-LAN magic packet—to trigger a special response from a compromised system. Passive listeners implemented via libpcap or raw sockets sniff network traffic without binding to a visible port, making them invisible to standard port scanners. Real-world examples include Turla Penquin (sniffs TCP/UDP for magic packets before C2 activation), Ryuk ransomware (Wake-on-LAN UDP broadcasts for lateral movement to powered-off systems), Winnti for Linux (passive listener activated by a magic value), SYNful Knock (Cisco IOS router backdoor activated via crafted SYN packets), ZIPLINE (triggered by a specific SSH banner string), J-magic (monitors TCP for one of five predefined parameter values then spawns a reverse shell), and REPTILE (listens for specialized packets in TCP, UDP, or ICMP for activation).
MITRE ATT&CK
- Technique
- T1205 Traffic Signaling
- Canonical reference
- https://attack.mitre.org/techniques/T1205/
Elastic Detection Query
// Signal 1: Packet capture library load by unexpected process
sequence by host.name, process.entity_id
[library where dll.name in~ ("wpcap.dll", "npcap.dll", "packet.dll")
and not process.name in~ ("wireshark.exe", "tshark.exe", "dumpcap.exe", "rawcap.exe", "networkminer.exe", "fiddler.exe", "procexp.exe", "procexp64.exe")]
// Signal 2: Wake-on-LAN UDP broadcast transmission
network where network.transport == "udp"
and destination.port in (7, 9)
and (destination.ip == "255.255.255.255" or destination.ip like~ "*.255.*" or destination.ip like~ "*.255")
// Signal 3: Port knocking — rapid sequential failed connections to distinct ports
sequence by host.name, source.ip with maxspan=60s
[network where event.action == "connection_refused" or event.outcome == "failure"] with runs=3Detects Traffic Signaling (T1205) behaviors across three patterns: (1) non-standard processes loading raw packet capture libraries such as wpcap.dll or npcap.dll, indicating a passive libpcap-based listener sniffing for magic packets; (2) Wake-on-LAN UDP broadcast transmissions to port 7 or 9 targeting broadcast addresses, consistent with Ryuk-style lateral movement to powered-off hosts; (3) rapid sequential failed network connection attempts to three or more distinct ports within a 60-second window, indicating port knocking sequences used to unlock a hidden backdoor listener.
Data Sources
Required Tables
False Positives & Tuning
- Network performance monitoring tools or custom network diagnostics utilities that legitimately load wpcap.dll or npcap.dll for packet inspection outside of standard tools like Wireshark
- Wake-on-LAN administrative tools used by IT helpdesk teams to power on remote workstations or servers during maintenance windows
- Automated port scanners or vulnerability assessment tools (Nessus, Qualys agent, OpenVAS) running scheduled discovery scans that produce rapid failed connection sequences resembling port knocking
Other platforms for T1205
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Wake-on-LAN Magic Packet Broadcast
Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 255.255.255.255:9 via UDP protocol. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe, RemoteIP=255.255.255.255, RemotePort=9, Protocol=Udp. The UDP payload will contain the WoL signature (6x 0xFF + target MAC repeated 16 times) visible in full packet capture.
- Test 2Port Knocking Sequence Simulation (Sequential Failed Connections)
Expected signal: Sysmon Event ID 3: Four network connection events from powershell.exe to 127.0.0.1 on ports 7000, 8000, 9000, 10000 within approximately 1 second. ActionType will be ConnectionFailed for each since no service listens on these ports. DeviceNetworkEvents in MDE will show sequential ConnectionFailed events with distinct RemotePort values from the same initiating process.
- Test 3Packet Capture Library Load from Non-Network-Tool Process
Expected signal: Sysmon Event ID 7: ImageLoad event with Image path ending in powershell.exe (or python3.exe) and ImageLoaded path containing wpcap.dll. DeviceImageLoadEvents in MDE: InitiatingProcessFileName=powershell.exe or python3.exe, FileName=wpcap.dll. The load will appear regardless of whether the DLL export call succeeds.
- Test 4Linux Raw Packet Socket Creation (Passive Listener Simulation)
Expected signal: Linux auditd with rule 'auditctl -a always,exit -F arch=b64 -S socket -F a0=17 -k raw_socket_creation' will generate AUDIT_SYSCALL record: syscall=socket, a0=17 (AF_PACKET), a1=3 (SOCK_RAW), process=python3. During the 2-second sleep, /proc/<PID>/net/packet will show the active raw socket. Sysmon for Linux (if deployed) will generate a NetworkConnect event for raw socket creation.
References (10)
- https://attack.mitre.org/techniques/T1205/
- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
- https://www.amd.com/system/files/TechDocs/20213.pdf
- https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
- https://www.welivesecurity.com/2021/01/26/kobalos-complex-linux-threat-high-performance-computing-infrastructure/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1205.001/T1205.001.md
- https://www.mandiant.com/resources/blog/cutting-edge-part-3
- https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN
Unlock Pro Content
Get the full detection package for T1205 including response playbook, investigation guide, and atomic red team tests.