title: Port Knocking (T1205.001)
id: df00tech-t1205-001
status: experimental
description: "Adversaries may use port knocking to conceal open ports used for persistence or command and control. A predefined sequence of connection attempts to closed ports causes the host-based firewall (or custom software) to dynamically open a listening port. Implementations include libpcap-based packet sniffing (cd00r, REPTILE), raw socket listeners, and dedicated daemons such as knockd or fwknopd. Real-world usage includes PROMETHIUM configuring knockd for C2 access, UNC3886 using ICMP-based knocking on FortiGate firewalls, the Mafalda/metaMain implant pair using knocking for inter-implant authentication, and REPTILE malware accepting knock sequences to activate backdoor access."
references:
  - https://attack.mitre.org/techniques/T1205/001/
  - https://df00tech.com/detections/T1205.001
author: df00tech
date: 2026/04/19
tags:
  - attack.t1205.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate administrators using knockd or fwknopd to protect SSH access on servers — extremely common on hardened Linux hosts exposed to the internet
  - "Security scanners and vulnerability assessment tools (Nessus, Qualys, Rapid7) that probe multiple ports in sequence during authorized scans"
  - "Network monitoring and probing tools that check port availability across a range, which may resemble a knock sequence in firewall deny logs"
  - Developers or sysadmins manually testing firewall rules by attempting connections to multiple ports in succession
  - Load balancer health checks or service mesh probes that contact multiple backend ports in a brief window
level: high