Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0524: Traffic Signaling (Port-knock / magic-packet → firewall or service activation) – T1205

This detection strategy is tied to ATT&CK technique T1205, Traffic Signaling: adversaries may hide malicious access or functionality until a specific netwo...

EnterpriseDET0524Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is tied to ATT&CK technique T1205, Traffic Signaling: adversaries may hide malicious access or functionality until a specific network signal, port-knock pattern, or “magic packet” activates it. For leaders, the practical risk is that a system can appear closed or inactive during normal scans, while still retaining a concealed path for persistence or command and control.

Executive priority

Prioritize this as a resilience and assurance issue where Linux, macOS, Windows, or network devices are in scope for monitoring. The key business question is whether security teams can prove they would see unusual pre-activation network patterns and post-activation service exposure, not just whether routine vulnerability scans show open ports. This matters for incident response scoping, firewall assurance, network monitoring investment, and audit evidence around hidden remote access paths.

Technical view

The ATT&CK object provides no official detection text, so validation should be driven by the related T1205 behavior: traffic signaling used for stealth, persistence, and command and control. SOC and detection engineering teams should test whether network telemetry can correlate unusual packet sequences or magic-value-like traffic with a subsequent firewall change, service activation, listening port, or outbound/inbound command-and-control session. IR teams should treat unexplained transient service exposure or firewall rule changes as potentially related context, especially on Windows, Linux, macOS, and network devices identified in the related technique.

Likely telemetry

  • Network flow records showing unusual connection attempts, packet sequences, or low-volume signaling before access is granted
  • Firewall, host firewall, and network device logs showing rule changes, allowed sessions, or previously closed ports becoming reachable
  • Endpoint process and service telemetry showing service start, listener creation, or task execution following network activity
  • Packet capture or network security sensor data where available to inspect packet characteristics beyond flow metadata
  • Authentication and remote access logs that occur immediately after suspicious signaling or port exposure

Detection direction

  • Validate correlation between suspicious pre-access traffic patterns and later service activation, port exposure, or command-and-control activity.
  • Tune for low-volume and sequence-based behavior; simple port-scan or open-port detections may miss traffic signaling because the malicious function may remain hidden until activated.
  • Review false positives from legitimate port-knocking, administrative remote-access workflows, network device management, and security testing activities.
  • Use relationship context from T1205 to include stealth, persistence, and command-and-control hunting paths rather than treating this only as a network anomaly.
  • Confirm whether telemetry covers the related platforms: Linux, macOS, Windows, and network devices. The detection-strategy object itself does not specify platforms.

Mitigation priorities

  • Inventory and govern any legitimate port-knocking, magic-packet, or conditional-access network mechanisms so defenders can distinguish approved behavior from suspicious activation patterns.
  • Restrict and monitor firewall and service configuration changes, especially those that create transient or conditional access paths.
  • Prioritize network and host telemetry retention that can join pre-activation traffic with later service, process, or connection activity.
  • Include this behavior in incident response playbooks for hidden persistence and command-and-control review when unexplained ports, listeners, or network device rule changes are found.
  • Use vulnerability management and configuration assurance to verify that externally exposed services and management paths are expected, documented, and monitored.
Analyst notes and limits

DET0524 is a detection-strategy object for T1205 Traffic Signaling. The supplied object has no official description, no official detection text, and no native platform or tactic values; the practical guidance above is inferred from the supplied relationship to T1205 and its provided description, tactics, and platforms.

Because the official detection content is not provided, this take cannot assert specific analytic logic, data components, effectiveness, or guaranteed coverage. Local architecture, approved remote-access patterns, firewall designs, and available packet/flow/endpoint telemetry are required to determine actual detection feasibility.

Official MITRE ATT&CK definition

Traffic Signaling (Port-knock / magic-packet → firewall or service activation) – T1205

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1205 Traffic Signaling This object detects Traffic Signaling.
Relationship explorer

All related ATT&CK context

detects · Technique T1205: Traffic Signaling Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
07e623ed8b647ca4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 07e623ed8b64…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0524
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use