Skip to content

S0519 SYNful Knock

SYNful Knock is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim’s network and provide new capabilities to the adversary.12

Item Value
ID S0519
Associated Names
Version 1.0
Created 19 October 2020
Last Modified 14 December 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1556 Modify Authentication Process -
enterprise T1556.004 Network Device Authentication SYNful Knock has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device.1
enterprise T1601 Modify System Image -
enterprise T1601.001 Patch System Image SYNful Knock is malware that is inserted into a network device by patching the operating system image.12
enterprise T1205 Traffic Signaling SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages.1