Detect Traffic Signaling in Microsoft Sentinel
Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence—such as a specific string in a packet, a sequence of connection attempts to closed ports (port knocking), or a Wake-on-LAN magic packet—to trigger a special response from a compromised system. Passive listeners implemented via libpcap or raw sockets sniff network traffic without binding to a visible port, making them invisible to standard port scanners. Real-world examples include Turla Penquin (sniffs TCP/UDP for magic packets before C2 activation), Ryuk ransomware (Wake-on-LAN UDP broadcasts for lateral movement to powered-off systems), Winnti for Linux (passive listener activated by a magic value), SYNful Knock (Cisco IOS router backdoor activated via crafted SYN packets), ZIPLINE (triggered by a specific SSH banner string), J-magic (monitors TCP for one of five predefined parameter values then spawns a reverse shell), and REPTILE (listens for specialized packets in TCP, UDP, or ICMP for activation).
MITRE ATT&CK
- Technique
- T1205 Traffic Signaling
- Canonical reference
- https://attack.mitre.org/techniques/T1205/
KQL Detection Query
let PacketCaptureLibs = dynamic(["wpcap.dll", "npcap.dll", "packet.dll"]);
let LegitNetworkTools = dynamic(["wireshark.exe", "tshark.exe", "dumpcap.exe", "rawcap.exe", "networkminer.exe", "fiddler.exe", "procexp.exe", "procexp64.exe"]);
// Signal 1: Unexpected process loading packet capture libraries (passive listener / magic packet sniffer indicator)
let PacketSnifferLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName has_any (PacketCaptureLibs)
| where not(InitiatingProcessFileName has_any (LegitNetworkTools))
| project Timestamp, DeviceName, AccountName,
ProcessName = InitiatingProcessFileName,
CommandLine = InitiatingProcessCommandLine,
TargetInfo = strcat("Loaded packet capture library: ", FileName),
AlertType = "PacketCaptureLibraryLoad";
// Signal 2: Wake-on-LAN magic packet transmission (Ryuk ransomware lateral movement pattern)
let WoLTransmission = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where Protocol =~ "Udp"
| where RemotePort in (7, 9)
| where RemoteIP has "255" or RemoteIP =~ "255.255.255.255"
| project Timestamp, DeviceName,
AccountName = InitiatingProcessAccountName,
ProcessName = InitiatingProcessFileName,
CommandLine = InitiatingProcessCommandLine,
TargetInfo = strcat("WoL UDP to ", RemoteIP, ":", tostring(RemotePort)),
AlertType = "WakeOnLanMagicPacket";
// Signal 3: Sequential failed connections to multiple distinct ports within 60-second window (port knocking pattern)
let PortKnocking = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionFailed"
| summarize
PortCount = dcount(RemotePort),
PortList = make_set(RemotePort, 10),
AttemptCount = count(),
FirstAttempt = min(Timestamp),
ProcessCmdLine = any(InitiatingProcessCommandLine),
ActName = any(InitiatingProcessAccountName)
by DeviceName, ProcName = InitiatingProcessFileName, RemoteIP, TimeBin = bin(Timestamp, 60s)
| where PortCount >= 3
| project Timestamp = FirstAttempt, DeviceName, AccountName = ActName,
ProcessName = ProcName, CommandLine = ProcessCmdLine,
TargetInfo = strcat("Port knocking: ", tostring(PortCount), " unique ports to ", RemoteIP, " within 60s"),
AlertType = "SequentialPortKnocking";
union PacketSnifferLoad, WoLTransmission, PortKnocking
| sort by Timestamp descMulti-signal KQL detection for Traffic Signaling (T1205) across three primary vectors using Microsoft Defender for Endpoint tables. Signal 1 uses DeviceImageLoadEvents to identify unexpected processes loading packet capture libraries (wpcap.dll, npcap.dll, packet.dll) that may indicate passive magic packet listeners as seen in Turla Penquin and Winnti for Linux. Signal 2 uses DeviceNetworkEvents to detect UDP transmissions to broadcast addresses on Wake-on-LAN ports 7 and 9, matching the Ryuk ransomware lateral movement pattern. Signal 3 uses DeviceNetworkEvents to detect sequential TCP connection failures to three or more distinct ports on the same destination within a 60-second window, matching port knocking activation sequences.
Data Sources
Required Tables
False Positives & Tuning
- Network monitoring agents (Datadog, PRTG, SolarWinds) that load Npcap/WinPcap libraries for legitimate packet-level telemetry collection
- IT management and help desk tools (ManageEngine Desktop Central, custom WoL scripts, PDQ Deploy) that legitimately send Wake-on-LAN packets to power on workstations
- Authorized penetration testing or vulnerability scanning tools (nmap, masscan) that generate sequential port connection failures during scheduled assessments
- VPN clients and network virtualization software (VMware, VirtualBox, OpenVPN) that load packet capture drivers during normal initialization
- Backup or endpoint management platforms that use WoL to wake systems for scheduled maintenance jobs outside business hours
- Service discovery and health-check mechanisms in microservice environments that probe multiple ports on container hosts in rapid succession
Other platforms for T1205
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Wake-on-LAN Magic Packet Broadcast
Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 255.255.255.255:9 via UDP protocol. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe, RemoteIP=255.255.255.255, RemotePort=9, Protocol=Udp. The UDP payload will contain the WoL signature (6x 0xFF + target MAC repeated 16 times) visible in full packet capture.
- Test 2Port Knocking Sequence Simulation (Sequential Failed Connections)
Expected signal: Sysmon Event ID 3: Four network connection events from powershell.exe to 127.0.0.1 on ports 7000, 8000, 9000, 10000 within approximately 1 second. ActionType will be ConnectionFailed for each since no service listens on these ports. DeviceNetworkEvents in MDE will show sequential ConnectionFailed events with distinct RemotePort values from the same initiating process.
- Test 3Packet Capture Library Load from Non-Network-Tool Process
Expected signal: Sysmon Event ID 7: ImageLoad event with Image path ending in powershell.exe (or python3.exe) and ImageLoaded path containing wpcap.dll. DeviceImageLoadEvents in MDE: InitiatingProcessFileName=powershell.exe or python3.exe, FileName=wpcap.dll. The load will appear regardless of whether the DLL export call succeeds.
- Test 4Linux Raw Packet Socket Creation (Passive Listener Simulation)
Expected signal: Linux auditd with rule 'auditctl -a always,exit -F arch=b64 -S socket -F a0=17 -k raw_socket_creation' will generate AUDIT_SYSCALL record: syscall=socket, a0=17 (AF_PACKET), a1=3 (SOCK_RAW), process=python3. During the 2-second sleep, /proc/<PID>/net/packet will show the active raw socket. Sysmon for Linux (if deployed) will generate a NetworkConnect event for raw socket creation.
References (10)
- https://attack.mitre.org/techniques/T1205/
- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
- https://www.amd.com/system/files/TechDocs/20213.pdf
- https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
- https://www.welivesecurity.com/2021/01/26/kobalos-complex-linux-threat-high-performance-computing-infrastructure/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1205.001/T1205.001.md
- https://www.mandiant.com/resources/blog/cutting-edge-part-3
- https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN
Unlock Pro Content
Get the full detection package for T1205 including response playbook, investigation guide, and atomic red team tests.