216.73.217.22

T1205: T1205

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID
T1205
Confidence
100/100
Revoked
No
Published
16/12/2025 19:37
Modified
27/03/2026 01:10
Author / Source
The MITRE Corporation

Aliases

Traffic Signaling

Platforms

windows macos linux Network Devices

Description

Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.(Citation: Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)(Citation: AMD Magic Packet)

Kill chain phases

Kill chainPhase
mitre-attack command-and-control
mitre-attack defense-evasion
mitre-attack persistence

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (17)

  • UNC3886 uses
    The MITRE Corporation Confidence 100

    [UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • UAC-0057 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:45 · Modified 21/12/2025 15:45
  • MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS
    The MITRE Corporation Confidence 100

    [Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 22/05/2026 04:12
  • PolarEdge uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 16:57 · Modified 21/12/2025 16:57
  • Dust Specter uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 03/03/2026 18:14 · Modified 03/03/2026 18:14
  • Kimsuky uses Black BansheeVelvet Chollima
    The MITRE Corporation Confidence 100

    [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • MuddyWater uses Earth VetalaStatic Kitten
    The MITRE Corporation Confidence 100

    [MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • Winnti uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 22:07 · Modified 20/12/2025 22:07
  • BBTok uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:42 · Modified 21/12/2025 06:42
  • UNC5221 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:58 · Modified 21/12/2025 04:58
  • Water Barghest uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 07:58 · Modified 21/12/2025 07:58
  • AISURU uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 17:49 · Modified 21/12/2025 17:49
  • ShadyPanda uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 19:23 · Modified 21/12/2025 19:23
  • Tadashi uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 30/04/2026 10:17 · Modified 30/04/2026 10:17
  • RudePanda uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 17:42 · Modified 21/12/2025 17:42
  • APT-C-36 uses Blind Eagle
    The MITRE Corporation Confidence 100

    [APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • LapDogs uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:11 · Modified 21/12/2025 15:11

Malware (65)

  • ConfuserEx uses
    Family
    Published 27/08/2025 19:54 · Modified 27/08/2025 19:54
  • TWINTALK uses
    Family
    Published 02/03/2026 17:44 · Modified 02/03/2026 17:44
  • SYNful Knock
  • SPAWNSNARE uses
    Family
    Published 04/04/2025 07:07 · Modified 04/04/2025 07:07
  • REPTILE uses
    Family
    Published 11/04/2025 15:42 · Modified 11/04/2025 15:42
  • Ryuk
  • WingtbCLI uses
    Family
    Published 22/10/2025 19:02 · Modified 22/10/2025 19:02
  • VLTRig uses
    Family
    Published 29/04/2026 19:42 · Modified 29/04/2026 19:42
  • MystRodX uses
    Family
    Published 28/08/2025 10:25 · Modified 28/08/2025 10:25
  • Glutton uses
    Family
    Published 11/12/2024 19:24 · Modified 11/12/2024 19:24
  • Bashlite uses
    Family
    Published 28/01/2026 13:31 · Modified 28/01/2026 13:31
  • Mirai uses
    Family
    Published 21/05/2026 23:03 · Modified 21/05/2026 23:03
  • Beep
  • ShortLeash uses
    Family
    Published 26/06/2025 21:14 · Modified 26/06/2025 21:14
  • Umbreon
  • SPLITDROP uses
    Family
    Published 02/03/2026 17:44 · Modified 02/03/2026 17:44
  • Pandora
  • Vidar uses
    Family
    Published 16/06/2026 09:50 · Modified 16/06/2026 09:50
  • Maggie uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • GHOSTFORM uses
    Family
    Published 02/03/2026 17:44 · Modified 02/03/2026 17:44
  • LummaC2 uses
    Family
    Published 16/01/2026 20:33 · Modified 16/01/2026 20:33
  • HinataBot
  • SEASPY uses
    Family
    Published 19/02/2026 16:01 · Modified 19/02/2026 16:01
  • Atera Agent uses
    Family
    Published 18/09/2024 08:29 · Modified 18/09/2024 08:29
  • Infinity V+ uses
    Family
    Published 03/12/2025 20:19 · Modified 03/12/2025 20:19
  • Uroburos
  • BRUSHFIRE uses
    Family
    Published 04/04/2025 07:07 · Modified 04/04/2025 07:07
  • BBTok uses
    Family
    Published 26/09/2024 12:55 · Modified 26/09/2024 12:55
  • TWINTASK uses
    Family
    Published 02/03/2026 17:44 · Modified 02/03/2026 17:44
  • PureCrypter uses
    Family
    Published 10/10/2025 08:25 · Modified 10/10/2025 08:25
  • Emmenhtal Loader uses
    Family
    Published 30/01/2026 08:20 · Modified 30/01/2026 08:20
  • BUSHWALK
  • ToneShell uses
    Family
    Published 17/04/2026 18:56 · Modified 17/04/2026 18:56
  • SPAWNSLOTH uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:44 · Modified 21/12/2025 08:44
  • HijackServer uses
    Family
    Published 22/10/2025 19:02 · Modified 22/10/2025 19:02
  • TRANSLATEXT uses
    Family
    Published 28/06/2024 07:46 · Modified 28/06/2024 07:46
  • TrailBlazer - S0682 uses
    Family
    Published 04/04/2025 07:07 · Modified 04/04/2025 07:07
  • Winnti for Linux
  • WeTab uses
    Family
    Published 03/12/2025 20:19 · Modified 03/12/2025 20:19
  • Penquin
  • Rhadamanthys uses
    Family
    Published 29/04/2026 02:24 · Modified 29/04/2026 02:24
  • SPAWNWAVE uses
    Family
    Published 04/04/2025 07:07 · Modified 04/04/2025 07:07
  • Chaos
  • AIRASHI uses
    Family
    Published 25/09/2025 09:20 · Modified 25/09/2025 09:20
  • Clean Master uses
    Family
    Published 03/12/2025 20:19 · Modified 03/12/2025 20:19
  • BOLDMOVE
  • Aisuru uses
    Family
    Published 29/01/2026 03:42 · Modified 29/01/2026 03:42
  • Ngioweb uses
    Family
    Published 25/09/2025 09:21 · Modified 25/09/2025 09:21
  • Bumblebee
  • xlabs_v1 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 30/04/2026 10:17 · Modified 30/04/2026 10:17
  • J-magic uses
    Family
    Published 23/01/2025 21:03 · Modified 23/01/2025 21:03
  • PUBLOAD uses
    Family
    Published 07/04/2026 11:11 · Modified 07/04/2026 11:11
  • NetSupport RAT uses
    Family
    Published 22/05/2026 13:08 · Modified 22/05/2026 13:08
  • Remcos RAT uses
    Family
    Published 17/06/2026 18:20 · Modified 17/06/2026 18:20
  • cd00r uses
    Family
    Published 23/01/2025 21:03 · Modified 23/01/2025 21:03
  • Cobalt Strike - S0154 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
  • ZIPLINE
  • XFiles Stealer uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 30/01/2026 09:49 · Modified 30/01/2026 09:49
  • PolarEdge uses
    Family
    Published 01/09/2025 09:30 · Modified 01/09/2025 09:30
  • Kobalos
  • Zerobot
  • UPX uses
    Family
    Published 27/08/2025 19:54 · Modified 27/08/2025 19:54
  • Dero uses
    Family
    Published 21/05/2025 23:03 · Modified 21/05/2025 23:03
  • HijackDriverManager uses
    Family
    Published 22/10/2025 19:02 · Modified 22/10/2025 19:02
  • VoidLink uses
    Family
    Published 26/03/2026 11:59 · Modified 26/03/2026 11:59

Reports (15)

Vulnerabilities (CVE) (44)

CVE-2020-25506 KEV

D-Link DNS-320 device contains a command injection vulnerability in the sytem_mgr.cgi component that may allow for remote code execution.

Published
03/11/2021
Modified
20/12/2025
CVE-2022-35733
9.8 Critical

Missing authentication for critical function vulnerability in UNIMO Technology digital video recorders (UDR-JA1004/JA1008/JA1016 firmware versions v1.0.20.13 and earlier, and UDR-JA1016 firmware versions …

Attack vector
NETWORK
Published
23/08/2022
Modified
21/12/2025
CVE-2013-3307
8.3 High

Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in …

Attack vector
NETWORK
Published
11/07/2025
Modified
21/12/2025
CVE-2013-1599
9.8 Critical

A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, …

Attack vector
NETWORK
Published
28/01/2020
Modified
21/12/2025
CVE-2021-46422
9.8 Critical

Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any …

Attack vector
NETWORK
Published
27/04/2022
Modified
20/12/2025
CVE-2023-20118 KEV
6.5 Medium

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an …

Attack vector
Network
Published
03/03/2025
Modified
21/12/2025
CVE-2014-8361 KEV
9.8 Critical

Realtek SDK contains an improper input validation vulnerability in the miniigd SOAP service that allows remote attackers to execute malicious code via …

Attack vector
NETWORK
Complexity
LOW
Published
01/05/2015
Modified
22/04/2026
CVE-2024-42009 KEV
9.3 Critical

RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim …

Attack vector
Network
Published
09/06/2025
Modified
21/12/2025
Received
CVE-2023-28771 KEV
9.8 Critical

Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls allow for improper error message handling which could allow an unauthenticated attacker to execute …

Attack vector
Network
Published
31/05/2023
Modified
21/12/2025
CVE-2020-10987 KEV

Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.

Published
03/11/2021
Modified
20/12/2025
CVE-2023-50381
7.2 High

Three os command injection vulnerabilities exist in the boa formWsc functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted series of …

Attack vector
NETWORK
Published
08/07/2024
Modified
21/12/2025
Awaiting Analysis
CVE-2018-10561 KEV

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.

Published
31/03/2022
Modified
20/12/2025
CVE-2024-43451 KEV
6.5 Medium

Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …

Attack vector
Network
Published
12/11/2024
Modified
27/05/2026
Analyzed
CVE-2024-49113
7.5 High

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

Published
12/12/2024
Modified
12/12/2024
Undergoing Analysis
CVE-2022-49475

In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-qspi: check return value after calling platform_get_resource_byname() It will cause null-ptr-deref …

Published
26/02/2025
Modified
26/02/2025
Awaiting Analysis
CVE-2021-36260 KEV

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation.

Published
10/01/2022
Modified
20/12/2025
CVE-2022-30525 KEV

A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and …

Published
16/05/2022
Modified
20/12/2025
CVE-2015-1548
5.0 Medium

mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol …

Published
10/02/2015
Modified
07/05/2026
CVE-2021-42013 KEV

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Published
03/11/2021
Modified
20/12/2025
CVE-2017-5259
9.0 Critical

In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path …

Published
20/12/2017
Modified
13/05/2026
CVE-2024-3721
6.3 Medium

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …

Attack vector
NETWORK
Published
13/04/2024
Modified
21/12/2025
CVE-2022-44149
8.8 High

The web service on Nexxt Amp300 ARN02304U8 42.103.1.5095 and 80.103.2.5045 devices allows remote OS command execution by placing &telnetd in the JSON …

Attack vector
NETWORK
Published
06/01/2023
Modified
21/12/2025
CVE-2017-17106
10.0 Critical

Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This …

Published
19/12/2017
Modified
13/05/2026

Attack patterns (MITRE) (2)

Campaign (2)

  • Cutting Edge uses
  • RedPenguin uses

Course Of Action (2)

  • Filter Network Traffic mitigates
  • Disable or Remove Feature or Program mitigates