S1204 cd00r
cd00r is an open-source backdoor for UNIX and UNIX-variant operating systems that was orginally released in 2000. cd00r source code is primarily based on a packet-capturing program as it utilizes a sniffer to listen for specific sequences of network traffic or “secret knock” before executing the attacker’s code.21
| Item | Value |
|---|---|
| ID | S1204 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 19 February 2025 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1040 | Network Sniffing | cd00r can use the libpcap library to monitor captured packets for specifc sequences.2 |
| enterprise | T1095 | Non-Application Layer Protocol | cd00r can monitor incoming C2 communications sent over TCP to the compromised host.21 |
| enterprise | T1016 | System Network Configuration Discovery | cd00r can discover the IP for the network interface on the compromised device.2 |
| enterprise | T1205 | Traffic Signaling | - |
| enterprise | T1205.001 | Port Knocking | cd00r can monitor for a single TCP-SYN packet to be sent in series to a configurable set of ports (200, 80, 22, 53 and 3 in the original code) before opening a port for communication.21 |