Esc
Traffic Signaling - T1205

(ATT&CK® Technique)
Subtechniques

Definition

Adversaries use traffic signaling techniques, such as sending specific network sequences or magic packets, to covertly trigger actions like opening ports, activating backdoors, or installing filters, facilitating command and control, persistence, and defense evasion.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1205["Traffic Signaling"] --> |produces| NetworkTraffic["Network Traffic"]; class T1205 OffensiveTechniqueNode;
        class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
        click T1205 href "/offensive-technique/attack/T1205/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";             Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1205["Traffic Signaling"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1205["Traffic Signaling"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1205["Traffic Signaling"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";                          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1205["Traffic Signaling"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";        PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1205["Traffic Signaling"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | NetworkTraffic["Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1205["Traffic Signaling"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1205["Traffic Signaling"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1205["Traffic Signaling"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";
json