S0519 SYNful Knock
SYNful Knock is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim’s network and provide new capabilities to the adversary.12
| Item | Value |
|---|---|
| ID | S0519 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 19 October 2020 |
| Last Modified | 14 December 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1556 | Modify Authentication Process | - |
| enterprise | T1556.004 | Network Device Authentication | SYNful Knock has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device.1 |
| enterprise | T1601 | Modify System Image | - |
| enterprise | T1601.001 | Patch System Image | SYNful Knock is malware that is inserted into a network device by patching the operating system image.12 |
| enterprise | T1205 | Traffic Signaling | SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages.1 |