title: Traffic Signaling (T1205)
id: df00tech-t1205
status: experimental
description: "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence—such as a specific string in a packet, a sequence of connection attempts to closed ports (port knocking), or a Wake-on-LAN magic packet—to trigger a special response from a compromised system. Passive listeners implemented via libpcap or raw sockets sniff network traffic without binding to a visible port, making them invisible to standard port scanners. Real-world examples include Turla Penquin (sniffs TCP/UDP for magic packets before C2 activation), Ryuk ransomware (Wake-on-LAN UDP broadcasts for lateral movement to powered-off systems), Winnti for Linux (passive listener activated by a magic value), SYNful Knock (Cisco IOS router backdoor activated via crafted SYN packets), ZIPLINE (triggered by a specific SSH banner string), J-magic (monitors TCP for one of five predefined parameter values then spawns a reverse shell), and REPTILE (listens for specialized packets in TCP, UDP, or ICMP for activation)."
references:
  - https://attack.mitre.org/techniques/T1205/
  - https://df00tech.com/detections/T1205
author: df00tech
date: 2026/04/19
tags:
  - attack.t1205
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Network monitoring agents (Datadog, PRTG, SolarWinds) that load Npcap/WinPcap libraries for legitimate packet-level telemetry collection"
  - "IT management and help desk tools (ManageEngine Desktop Central, custom WoL scripts, PDQ Deploy) that legitimately send Wake-on-LAN packets to power on workstations"
  - "Authorized penetration testing or vulnerability scanning tools (nmap, masscan) that generate sequential port connection failures during scheduled assessments"
  - "VPN clients and network virtualization software (VMware, VirtualBox, OpenVPN) that load packet capture drivers during normal initialization"
  - Backup or endpoint management platforms that use WoL to wake systems for scheduled maintenance jobs outside business hours
  - Service discovery and health-check mechanisms in microservice environments that probe multiple ports on container hosts in rapid succession
level: high