MITRE ATT&CK Technique
Description
Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system. The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-07-01T18:23:25.002Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may use port knocking to hide open ports used for '
'persistence or command and control. To enable a port, an '
'adversary sends a series of attempted connections to a '
'predefined sequence of closed ports. After the sequence is '
'completed, opening a port is often accomplished by the host '
'based firewall, but could also be implemented by custom '
'software.\n'
'\n'
'This technique has been observed both for the dynamic opening '
'of a listening port as well as the initiating of a connection '
'to a listening server on a different system.\n'
'\n'
'The observation of the signal packets to trigger the '
'communication can be conducted through different methods. One '
'means, originally implemented by Cd00r (Citation: Hartrell '
'cd00r 2002), is to use the libpcap libraries to sniff for the '
'packets in question. Another method leverages raw sockets, '
'which enables the malware to use ports that are already open '
'for use by other programs.',
'external_references': [{'external_id': 'T1205.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1205/001'},
{'description': 'Hartrell, Greg. (2002, August). Get '
'a handle on cd00r: The invisible '
'backdoor. Retrieved October 13, '
'2018.',
'source_name': 'Hartrell cd00r 2002',
'url': 'https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631'}],
'id': 'attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'command-and-control'}],
'modified': '2025-10-24T17:49:04.301Z',
'name': 'Port Knocking',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows', 'Network Devices'],
'x_mitre_version': '1.2'}