1. Home
  2. Techniques
  3. Enterprise
  4. 流量激活

流量激活

ID Name
T1205.001 多态化端口序列触发
T1205.002 协议字段隐匿触发

流量激活是攻击者通过特定网络信号触发系统开启隐蔽通信通道或执行恶意功能的持久化技术,其核心在于利用预定义魔法值或数据包序列控制目标系统行为。传统防御手段主要通过监控非常规端口访问序列、检测固定魔法包特征(如Wake-on-LAN的FF:FF:FF:FF:FF:FF前缀)来识别攻击行为,依赖深度包检测技术解析协议异常字段。

为规避基于固定模式匹配的检测机制,攻击者发展出多维动态化与协议深度伪造相结合的匿迹技术。通过引入密码学算法、协议逆向工程和上下文感知机制,将激活信号的特征溶解在合法网络交互中,构建出具备强隐蔽性和抗分析能力的下一代流量激活体系。

现有匿迹技术的共性在于构建"协议合规性"与"动态不可预测性"的双重防御穿透能力。动态端口敲门通过混沌算法生成非重复激活序列,破坏传统基于规则库的检测模型;协议字段隐匿触发利用协议规范的灰色地带承载分片化指令,迫使防御方必须实施全流量持久化存储与多包关联分析。这些技术的本质突破在于将单一魔法值检测问题转化为动态协议语义理解挑战,迫使防御体系从特征匹配升级为行为认知。

匿迹技术的演进使得传统基于固定规则和静态特征库的检测方法面临根本性失效,防御方需构建协议语义深度解析、加密流量行为建模、长周期上下文关联分析等新型能力,同时结合目标系统的业务逻辑白名单机制,才能有效识别高度伪装的流量激活攻击。

ID: T1205
Sub-techniques:  T1205.001, T1205.002
Platforms: Linux, Network, Windows, macOS
Defense Bypassed: Defensive network service scanning
Contributors: Josh Day, Gigamon; Tony Lee
Version: 2.4
Created: 18 April 2018
Last Modified: 19 October 2022

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确模拟合法协议的数据格式与交互流程,将激活信号完全融入正常业务流量。例如利用工业控制协议的标准功能码传递魔法值,或通过HTTPS加密通道传输嵌套加密的触发指令,使得激活流量在协议解析层面呈现合法业务特征,规避基于协议异常检测的防御机制。

数据遮蔽

在激活信号传输过程中采用流加密(如TLS 1.3)或格式混淆技术(如Unicode字符映射),隐藏魔法值的可读特征。加密通道的使用使得网络层检测无法直接提取关键指令参数,需依赖流量解密才能识别恶意负载。

时空释痕

通过动态端口序列和随机化时间间隔策略,将集中式激活行为分解为长周期、低关联的离散事件。攻击者利用分布式节点发送激活信号片段,每个节点的行为在时空维度上均低于检测阈值,使得传统基于时间窗口的异常聚合分析难以奏效。

Procedure Examples

ID Name Description
S1118 BUSHWALK

BUSHWALK can modify the DSUserAgentCap.pm Perl module on Ivanti Connect Secure VPNs and either activate or deactivate depending on the value of the user agent in incoming HTTP requests.[1]
S0220 Chaos

Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port.[2]
C0029 Cutting Edge

During Cutting Edge, threat actors sent a magic 48-byte sequence to enable the PITSOCK backdoor to communicate via the /tmp/clientsDownload.sock socket.[1]
S0641 Kobalos

Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port.[3][4]

S0664 Pandora

Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command.[5]
S0587 Penquin

Penquin will connect to C2 only after sniffing a "magic packet" value in TCP or UDP packets matching specific conditions.[6][7]
S0446 Ryuk

Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement.[8]
S0519 SYNful Knock

SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages.[9]
S0221 Umbreon

Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet.[10]
S0022 Uroburos

Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application.[11]
S0430 Winnti for Linux

Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.[12]
S1114 ZIPLINE

ZIPLINE can identify a specific string in intercepted network traffic, SSH-2.0-OpenSSH_0.3xx., to trigger its command functionality.[13]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable Wake-on-LAN if it is not needed within an environment.
M1037 Filter Network Traffic

Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Content

Monitor and analyze network packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, protocol port mismatch, anomalous syntax, or structure). Consider packet inspection for Wake-on-LAN magic packet consists of 6 bytes of FF followed by sixteen repetitions of the target system's IEEE address. Seeing this string anywhere in a packet's payload may be indicative of a Wake-on-LAN attempt.[14]
Network Traffic Flow

Monitor and analyze network flows associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider analyzing newly constructed network connections that are sent or received by untrusted hosts, unexpcted hardware devices, or other uncommon data flows.
DS0009 Process Process Creation

Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy.[15]

References

  1. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  2. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
  3. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
  4. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
  5. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  6. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  7. Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021.
  8. Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.
  1. Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.
  2. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  3. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  4. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  5. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
  6. Perry, David. (2020, August 11). WakeOnLAN (WOL). Retrieved February 17, 2021.
  7. Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022.