Skip to content

DET0302 Port-knock → rule/daemon change → first successful connect (T1205.001)

Item Value
ID DET0302
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1205.001 (Port Knocking)

Analytics

Windows

AN0842

A remote source rapidly touches a short sequence of closed ports (SYN→RST/S0) on a Windows host. Within a short window the host changes firewall state (WFP rule added/modified or service starts listening) and then the same source completes the first successful handshake to the newly opened port.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Network Traffic Flow (DC0078) WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall EventCode=2004, 2005, 2006
Mutable Elements
Field Description
TimeWindow Seconds to correlate knock sequence → rule change → successful connect (60–300s typical).
MinSequenceLen Minimum number of distinct destination ports in the sequence (≥3 by default).
RuleChangeAllowList Accounts/processes allowed to adjust Windows Firewall (e.g., update agents).
WatchedPorts Ports of interest to flag when opened (e.g., 22,23,2323,8022,3389,8080).

Linux

AN0843

A source performs a short closed-port sequence; the host then modifies iptables/nftables/ufw rules or starts a daemon binding a new socket, followed by a successful connection from the same source.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve: Commands that alter firewall or start listeners: iptables
Network Connection Creation (DC0082) auditd:SYSCALL socket/bind: New bind() to a previously closed port shortly after the sequence.
Network Traffic Flow (DC0078) NSM:Flow Knock pattern: repeated REJ/S0 across ≥MinSequenceLen ports from same src_ip then SF success.
Mutable Elements
Field Description
ServicePort Candidate port expected to open after knock (e.g., 22/2323).
KnockTolerance Max seconds between hits inside the sequence.
MgmtAllowList Automation allowed to change firewall/daemon state (config mgmt, orchestration).

macOS

AN0844

A source performs a closed-port sequence; the endpoint enables a PF/socketfilterfw rule or a background process binds a port; then a successful connection completes from the same source.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog exec: Execution of pfctl, socketfilterfw, launchctl start ssh/telnet, libpcap consumers.
Network Traffic Flow (DC0078) macos:unifiedlog Firewall/PF anchor load or rule change events.
Network Connection Creation (DC0082) NSM:Flow Sequence of REJ/S0 then SF success from same src_ip within TimeWindow.
Mutable Elements
Field Description
PFAnchorPaths Anchors/confs to monitor (/etc/pf.conf, /etc/pf.anchors/*).
DevMode Suppress expected PF testing on developer devices.

Network Devices

AN0845

Router/switch receives a knock pattern (same src touches device unicast, broadcast, and network-address on same or stepped ports) followed by ACL/line-vty/service enable and the first mgmt session success.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) networkdevice:syslog Config/ACL changes, line vty transport input changes, telnet/ssh/http(s) enable, image/feature module changes.
Network Connection Creation (DC0082) NSM:Flow Series of denied/closed flows to distinct ports then success to mgmt port from same src_ip within TimeWindow.
Mutable Elements
Field Description
MgmtPortSet Mgmt ports to focus on: 22,23,2323,80,443,161,4786.
DeviceRole Tighten thresholds on edge/internet-facing devices.