Esc

Port Knocking - T1205.001

(ATT&CK® Technique)

Definition

Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1205001["Port Knocking"] --> |produces| NetworkTraffic["Network Traffic"]; class T1205001 OffensiveTechniqueNode;
        class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
        click T1205001 href "/offensive-technique/attack/T1205.001/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";             PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1205001["Port Knocking"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1205001["Port Knocking"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1205001["Port Knocking"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";             NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1205001["Port Knocking"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                   RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1205001["Port Knocking"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";                    UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1205001["Port Knocking"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | NetworkTraffic["Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1205001["Port Knocking"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";                           Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1205001["Port Knocking"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling";

json