S1204: cd00r
cd00r is an open-source backdoor for UNIX and UNIX-variant operating systems that was orginally released in 2000. cd00r source code is primarily based on a packet-capturing program as it utilizes a sniffer to listen for specific sequences of network traffic or "secret knock" before executing the attacker's code.[1][2]
Analyst context for executives and security teams
cd00r matters because it represents a backdoor pattern that can stay quiet until it sees a specific network “secret knock.” For leaders, the issue is not just one old open-source tool; it is whether network-device and UNIX-like environments have enough visibility to notice passive sniffing, unusual low-level protocol use, and hidden access triggers before they become an incident-response surprise.
Executive priority
Prioritize this as a resilience and visibility question for network infrastructure: can the organization prove it monitors network-device behavior, unauthorized sniffing, and non-application-layer command-and-control patterns? Because ATT&CK provides no detection guidance for this object, executives should ask whether SOC coverage depends only on open ports and application logs, which may miss port-knocking or packet-triggered access patterns.
Technical view
ATT&CK lists cd00r for Network Devices and relates it to System Network Configuration Discovery, Network Sniffing, Non-Application Layer Protocol, and Port Knocking. SOC and IR teams should validate whether they can detect hosts or network devices entering promiscuous capture behavior, observing or responding to unusual packet sequences, using ICMP/UDP or other non-application protocols unexpectedly, and collecting local network configuration details. Detection should be relationship-driven because the malware object itself has no official detection text.
Likely telemetry
- Network flow records for unusual low-volume connection sequences or protocol use
- Packet capture or IDS evidence for repeated closed-port connection attempts or “knock”-like patterns
- Network-device logs, configuration changes, and management-plane activity
- Host or device process telemetry where available for packet capture/sniffer behavior
- Interface state indicators such as promiscuous mode where supported
Detection direction
- Validate coverage for T1040 Network Sniffing and T1205.001 Port Knocking rather than looking only for known cd00r indicators.
- Tune for unusual sequences of failed or closed-port connection attempts followed by changed access behavior, while accounting for scanners and legitimate monitoring tools as likely false positives.
- Review whether Network Devices have sufficient logging; many environments collect flows but not device-level process or interface-state telemetry.
- Correlate non-application-layer protocol activity under T1095 with source reputation, asset role, and expected management patterns.
- Use T1016 context to look for suspicious local network configuration discovery on devices where such commands or reads are uncommon.
Mitigation priorities
- Harden network-device management planes with least privilege, restricted management access, and strong change control.
- Limit unnecessary inbound paths and enforce segmentation so hidden access triggers cannot easily expose sensitive management surfaces.
- Disable or tightly control packet-capture capabilities on production devices except for approved administrative use.
- Baseline expected ICMP, UDP, and other non-application protocol behavior for critical network segments.
- Ensure incident-response playbooks include collection of flow data, device logs, configurations, and packet evidence for suspected port-knocking or sniffer-based backdoors.
Analyst notes and limits
The supplied ATT&CK object describes cd00r as an open-source UNIX/UNIX-variant backdoor released in 2000 that uses a sniffer to listen for specific network traffic before executing attacker code. Relationship context is the main source of defensive value: discovery, sniffing, non-application-layer C2, and port knocking.
ATT&CK provides no official detection text, no tactics directly on the malware object, no aliases, and only the Network Devices platform in the supplied object. Local device types, logging depth, and normal protocol baselines are required before assessing exposure or detection coverage.
cd00r
cd00r is an open-source backdoor for UNIX and UNIX-variant operating systems that was orginally released in 2000. cd00r source code is primarily based on a packet-capturing program as it utilizes a sniffer to listen for specific sequences of network traffic or "secret knock" before executing the attacker's code.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1095 | Non-Application Layer Protocol | cd00r can monitor incoming C2 communications sent over TCP to the compromised host.CitationHartrell cd00r 2002CitationLumen J-Magic JAN 2025 |
| Enterprise | T1016 | System Network Configuration Discovery | cd00r can discover the IP for the network interface on the compromised device.CitationHartrell cd00r 2002 |
| Enterprise | T1040 | Network Sniffing | cd00r can use the libpcap library to monitor captured packets for specifc sequences.CitationHartrell cd00r 2002 |
| Enterprise | T1205.001 | Port Knocking Sub-technique | cd00r can monitor for a single TCP-SYN packet to be sent in series to a configurable set of ports (200, 80, 22, 53 and 3 in the original code) before opening a port for communication.CitationHartrell cd00r 2002CitationLumen J-Magic JAN 2025 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c59934d8e542… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Hartrell cd00r 2002
Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.
Open source URL -
[2]
Lumen J-Magic JAN 2025
Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
Open source URL -
[3]
mitre-attack S1204Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.