The host is communicating in an unusual manner with an internal server on a port that has previously shown a stable pattern for requests and responses
The request sent to the internal server and the response received from it don’t conform to any of the previously observed patterns
Possible root Causes
The server has been compromised and the port has been hijacked to enable communication to the compromised part of the system without requiring a new port to be utilized for the communication
The client or the server has been recently upgraded and the pattern of use on the server port has changed
This client has an unusual configuration in that it communicates with the port on the server in a manner unlike all the other observed communication on that port
Business Impact
Port hijacking is a technique attackers use to enable communication to a compromised server without raising alarms which may go off when a new port is used on an existing server
Compromised servers are often more valuable than compromised laptops as they remain on the network at all times and are often located in the data center where most of an organization’s important data resides
Steps to Verify
See if the pattern of the flagged request and response represent acceptable deviations from the normal patterns or are significant departures such as binary data in an otherwise character-based protocol
Inquire whether the software which emitted the request on this host has recently been updated as this may cause detections for a short period of time after the update
Inquire whether the software on the server which responded to the request has recently been updated as this may cause detections for a short period of time after the update
If the changed pattern remains unexplained, boot the client and server using a known good image on a USB device, then mount the local drive and scan it for signs of compromise
Shell Knocker Client
Possible root causes
Malicious Detection
Benign Detection
Shell Knocker Client
Example scenarios
Shell Knocker Client
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.