| ID | Name |
|---|---|
| ATAGS-T1076.001 | Port Knocking |
| ATAGS-T1076.002 | Socket Filters |
Threat Actors may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.