Detect Traffic Signaling in CrowdStrike LogScale
Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence—such as a specific string in a packet, a sequence of connection attempts to closed ports (port knocking), or a Wake-on-LAN magic packet—to trigger a special response from a compromised system. Passive listeners implemented via libpcap or raw sockets sniff network traffic without binding to a visible port, making them invisible to standard port scanners. Real-world examples include Turla Penquin (sniffs TCP/UDP for magic packets before C2 activation), Ryuk ransomware (Wake-on-LAN UDP broadcasts for lateral movement to powered-off systems), Winnti for Linux (passive listener activated by a magic value), SYNful Knock (Cisco IOS router backdoor activated via crafted SYN packets), ZIPLINE (triggered by a specific SSH banner string), J-magic (monitors TCP for one of five predefined parameter values then spawns a reverse shell), and REPTILE (listens for specialized packets in TCP, UDP, or ICMP for activation).
MITRE ATT&CK
- Technique
- T1205 Traffic Signaling
- Canonical reference
- https://attack.mitre.org/techniques/T1205/
LogScale Detection Query
// Signal 1: Packet capture library load by non-standard process (ModuleLoad events)
#event_simpleName="ModuleLoad"
| ImageFileName = /(?i)(wpcap\.dll|npcap\.dll|packet\.dll)$/
| not ProcessImageFileName = /(?i)(wireshark|tshark|dumpcap|rawcap|networkminer|fiddler|procexp|procexp64)\.exe$/
| groupBy([ComputerName, ProcessImageFileName, ImageFileName, CommandLine, UserName], function=([count(aid, as=LoadCount), min(ContextTimeStamp, as=FirstSeen), max(ContextTimeStamp, as=LastSeen)]))
| rename(field=ProcessImageFileName, as="SuspiciousProcess")
| rename(field=ImageFileName, as="CaptureLibraryLoaded")
| "PacketCaptureLibraryLoad" as AlertType
| table([FirstSeen, ComputerName, UserName, SuspiciousProcess, CaptureLibraryLoaded, CommandLine, AlertType, LoadCount])
// Signal 2: Wake-on-LAN UDP broadcast (NetworkConnectIP4 to broadcast on port 7 or 9)
#event_simpleName="NetworkConnectIP4"
| Protocol = "UDP" OR Protocol = "17"
| RemotePort in [7, 9]
| RemoteAddressIP4 = /^(255\.255\.255\.255|.*\.255)$/
| groupBy([ComputerName, LocalAddressIP4, RemoteAddressIP4, RemotePort, ImageFileName, CommandLine, UserName], function=([count(aid, as=WoLCount), min(ContextTimeStamp, as=FirstSeen)]))
| "WakeOnLanMagicPacket" as AlertType
| table([FirstSeen, ComputerName, UserName, ImageFileName, LocalAddressIP4, RemoteAddressIP4, RemotePort, AlertType, WoLCount])
// Signal 3: Port knocking — sequential failed outbound connections to 3+ distinct ports within 60s
#event_simpleName="NetworkConnectIP4"
| ConnectionFlags = "1" OR ConnectionStatus = /fail|refused/i
| groupBy([ComputerName, RemoteAddressIP4, ImageFileName, UserName, timebucket(field=ContextTimeStamp, buckets="1m")], function=([count_distinct(RemotePort, as=UniquePortCount), count(aid, as=AttemptCount), min(ContextTimeStamp, as=FirstSeen), collect(RemotePort, limit=10, as=PortList)]))
| UniquePortCount >= 3
| "SequentialPortKnocking" as AlertType
| table([FirstSeen, ComputerName, UserName, ImageFileName, RemoteAddressIP4, UniquePortCount, AttemptCount, PortList, AlertType])CrowdStrike Falcon LogScale (CQL) detection for Traffic Signaling (T1205) using three queries over Falcon telemetry. Query 1 targets ModuleLoad events where wpcap.dll, npcap.dll, or packet.dll are loaded by unexpected processes, indicating a passive libpcap-based magic-packet sniffer as used by Winnti for Linux, Turla Penquin, REPTILE, and ZIPLINE. Query 2 targets NetworkConnectIP4 events for UDP traffic to ports 7/9 directed at broadcast addresses, matching the Wake-on-LAN lateral movement technique used by Ryuk ransomware. Query 3 aggregates outbound NetworkConnectIP4 failures over 1-minute buckets to surface hosts performing rapid connection attempts to 3+ distinct ports on a single destination IP — the port-knocking pattern used to activate hidden backdoors like SYNful Knock and J-magic.
Data Sources
Required Tables
False Positives & Tuning
- In-house network telemetry agents or custom APM tools built on libpcap or WinPcap that are not in the standard network-tool whitelist but serve a legitimate monitoring function
- Enterprise Wake-on-LAN management solutions (Dell KACE, PDQ Deploy, ManageEngine) used by IT teams to remotely power on endpoints for patching windows or inventory scans
- Zero Trust NAC or micro-segmentation enforcement agents that perform rapid port probing during posture assessment or network discovery phases, generating failed-connection bursts that pattern-match port knocking
Other platforms for T1205
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Wake-on-LAN Magic Packet Broadcast
Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 255.255.255.255:9 via UDP protocol. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe, RemoteIP=255.255.255.255, RemotePort=9, Protocol=Udp. The UDP payload will contain the WoL signature (6x 0xFF + target MAC repeated 16 times) visible in full packet capture.
- Test 2Port Knocking Sequence Simulation (Sequential Failed Connections)
Expected signal: Sysmon Event ID 3: Four network connection events from powershell.exe to 127.0.0.1 on ports 7000, 8000, 9000, 10000 within approximately 1 second. ActionType will be ConnectionFailed for each since no service listens on these ports. DeviceNetworkEvents in MDE will show sequential ConnectionFailed events with distinct RemotePort values from the same initiating process.
- Test 3Packet Capture Library Load from Non-Network-Tool Process
Expected signal: Sysmon Event ID 7: ImageLoad event with Image path ending in powershell.exe (or python3.exe) and ImageLoaded path containing wpcap.dll. DeviceImageLoadEvents in MDE: InitiatingProcessFileName=powershell.exe or python3.exe, FileName=wpcap.dll. The load will appear regardless of whether the DLL export call succeeds.
- Test 4Linux Raw Packet Socket Creation (Passive Listener Simulation)
Expected signal: Linux auditd with rule 'auditctl -a always,exit -F arch=b64 -S socket -F a0=17 -k raw_socket_creation' will generate AUDIT_SYSCALL record: syscall=socket, a0=17 (AF_PACKET), a1=3 (SOCK_RAW), process=python3. During the 2-second sleep, /proc/<PID>/net/packet will show the active raw socket. Sysmon for Linux (if deployed) will generate a NetworkConnect event for raw socket creation.
References (10)
- https://attack.mitre.org/techniques/T1205/
- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
- https://www.amd.com/system/files/TechDocs/20213.pdf
- https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
- https://www.welivesecurity.com/2021/01/26/kobalos-complex-linux-threat-high-performance-computing-infrastructure/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1205.001/T1205.001.md
- https://www.mandiant.com/resources/blog/cutting-edge-part-3
- https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN
Unlock Pro Content
Get the full detection package for T1205 including response playbook, investigation guide, and atomic red team tests.