T1205 Sumo Logic CSE · Sumo

Detect Traffic Signaling in Sumo Logic CSE

Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence—such as a specific string in a packet, a sequence of connection attempts to closed ports (port knocking), or a Wake-on-LAN magic packet—to trigger a special response from a compromised system. Passive listeners implemented via libpcap or raw sockets sniff network traffic without binding to a visible port, making them invisible to standard port scanners. Real-world examples include Turla Penquin (sniffs TCP/UDP for magic packets before C2 activation), Ryuk ransomware (Wake-on-LAN UDP broadcasts for lateral movement to powered-off systems), Winnti for Linux (passive listener activated by a magic value), SYNful Knock (Cisco IOS router backdoor activated via crafted SYN packets), ZIPLINE (triggered by a specific SSH banner string), J-magic (monitors TCP for one of five predefined parameter values then spawns a reverse shell), and REPTILE (listens for specialized packets in TCP, UDP, or ICMP for activation).

MITRE ATT&CK

Tactic
Defense Evasion Persistence Command and Control
Technique
T1205 Traffic Signaling
Canonical reference
https://attack.mitre.org/techniques/T1205/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// Signal 1: Packet capture library load by non-standard process (Sysmon Event ID 7)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "7"
| where (ImageLoaded matches "*\\wpcap.dll" OR ImageLoaded matches "*\\npcap.dll" OR ImageLoaded matches "*\\packet.dll")
| where !(Image matches "*\\wireshark.exe" OR Image matches "*\\tshark.exe" OR Image matches "*\\dumpcap.exe" OR Image matches "*\\rawcap.exe" OR Image matches "*\\networkminer.exe" OR Image matches "*\\fiddler.exe" OR Image matches "*\\procexp.exe" OR Image matches "*\\procexp64.exe")
| fields _messageTime, Computer, User, Image, ImageLoaded, CommandLine
| "PacketCaptureLibraryLoad" as AlertType
| concat("Packet capture library loaded: ", ImageLoaded) as Detail

// Signal 2: Wake-on-LAN broadcast (Sysmon Event ID 3, UDP port 7 or 9)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "3"
| where Protocol = "udp"
| where (DestinationPort = "7" OR DestinationPort = "9")
| where (DestinationIp = "255.255.255.255" OR DestinationIp matches "*.255")
| fields _messageTime, Computer, User, Image, DestinationIp, DestinationPort, Protocol
| "WakeOnLanMagicPacket" as AlertType
| concat("WoL UDP to ", DestinationIp, ":", DestinationPort) as Detail

// Signal 3: Port knocking pattern — multiple failed connections within 60s (Sysmon Event ID 3 with connection failures)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "3" AND Initiated = "true"
| timeslice 60s
| count_distinct(DestinationPort) as unique_ports, count as total_attempts by _timeslice, Computer, Image, DestinationIp, User
| where unique_ports >= 3
| concat("Port knocking: ", unique_ports, " unique ports to ", DestinationIp, " in 60s") as Detail
| "SequentialPortKnocking" as AlertType
high severity medium confidence

Detects three Traffic Signaling (T1205) behaviors using Windows Sysmon events forwarded to Sumo Logic. Covers: (1) raw packet capture library loading by unexpected processes — a hallmark of passive libpcap-based listeners used by Winnti, Penquin Turla, and REPTILE to sniff for magic activation packets; (2) Wake-on-LAN UDP broadcast traffic on ports 7/9 to broadcast addresses, as used by Ryuk ransomware for lateral movement; (3) rapid sequential connection failures to multiple distinct destination ports within a 60-second window, consistent with port-knocking sequences that unlock a hidden backdoor.

Data Sources

Windows Sysmon via Sumo Logic Windows collection (Event IDs 3 and 7)Sumo Logic Installed Collector with Windows sourceSumo Logic CSE normalized Windows security events

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=WinEventLog/Sysmon

False Positives & Tuning

  • Legitimate packet capture tools that are not in the whitelist (e.g., custom in-house network diagnostic scripts calling wpcap.dll) will generate false positives for Signal 1
  • Wake-on-LAN tools used by helpdesk or MDM solutions for device management will trigger Signal 2 in environments with WoL-based provisioning workflows
  • Network scanners, vulnerability management agents, or even noisy clients reconnecting during network instability can generate multiple rapid connection failures that resemble port knocking in Signal 3
Download portable Sigma rule (.yml)

Other platforms for T1205

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Wake-on-LAN Magic Packet Broadcast

    Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 255.255.255.255:9 via UDP protocol. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe, RemoteIP=255.255.255.255, RemotePort=9, Protocol=Udp. The UDP payload will contain the WoL signature (6x 0xFF + target MAC repeated 16 times) visible in full packet capture.

  2. Test 2Port Knocking Sequence Simulation (Sequential Failed Connections)

    Expected signal: Sysmon Event ID 3: Four network connection events from powershell.exe to 127.0.0.1 on ports 7000, 8000, 9000, 10000 within approximately 1 second. ActionType will be ConnectionFailed for each since no service listens on these ports. DeviceNetworkEvents in MDE will show sequential ConnectionFailed events with distinct RemotePort values from the same initiating process.

  3. Test 3Packet Capture Library Load from Non-Network-Tool Process

    Expected signal: Sysmon Event ID 7: ImageLoad event with Image path ending in powershell.exe (or python3.exe) and ImageLoaded path containing wpcap.dll. DeviceImageLoadEvents in MDE: InitiatingProcessFileName=powershell.exe or python3.exe, FileName=wpcap.dll. The load will appear regardless of whether the DLL export call succeeds.

  4. Test 4Linux Raw Packet Socket Creation (Passive Listener Simulation)

    Expected signal: Linux auditd with rule 'auditctl -a always,exit -F arch=b64 -S socket -F a0=17 -k raw_socket_creation' will generate AUDIT_SYSCALL record: syscall=socket, a0=17 (AF_PACKET), a1=3 (SOCK_RAW), process=python3. During the 2-second sleep, /proc/<PID>/net/packet will show the active raw socket. Sysmon for Linux (if deployed) will generate a NetworkConnect event for raw socket creation.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1205 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1205.001Port KnockingT1205.002Socket FiltersT1601.001Patch System ImageT1556.004Network Device AuthenticationT1571Non-Standard PortT1095Non-Application Layer ProtocolT1008Fallback ChannelsT1055Process InjectionT1546Event Triggered Execution

Same Tactic: Defense Evasion

Popular Detections