Command & Control
Shell Knocker Server
Detection overview
The "Shell Knocker Server detection" identifies a server that is potentially being used by attackers to gain unauthorized remote access to internal systems. This detection is triggered when network traffic or system behavior suggests that a server is listening for specific connection attempts designed to bypass standard authentication mechanisms. Shell Knockers are often used to establish a foothold in the network and facilitate further exploitation.
Triggers
- The server is communicating in an unusual manner with an internal client on a port that has previously shown a stable pattern for requests and responses
- The request received by the server and the response sent by it don’t conform to any of the previously observed patterns
Possible Root Causes
- The server has been compromised and the port has been hijacked to enable communication to the compromised part of the system without requiring a new port to be utilized for the communication
- The client or the server has been recently upgraded and the pattern of use on the server port has changed
- The client which triggered the detection has an unusual configuration in that it communicates with the port on this server in a manner unlike all the other observed communication on the port
Business Impact
- Port hijacking is a technique attackers use to enable communication to a compromised server without raising alarms which may go off when a new port is used on an existing server
- Compromised servers are often more valuable than compromised laptops as they remain on the network at all times and are often located in the data center where most of an organization’s important data resides
Steps to Investigate
- See if the pattern of the flagged request and response represent acceptable deviations from the normal patterns or are significant departures such as binary data in an otherwise character-based protocol
- Inquire whether the software which emitted the request on the client has recently been updated as this may cause detections for a short period of time after the update
- Inquire whether the software on this server which responded to the request has recently been updated as this may cause detections for a short period of time after the update
- This type of backdoor is most likely to be in a kernel module, so produce a list of all installed kernel modules and verify against list of good known kernel modules
- If the changed pattern remains unexplained, boot the client and server using a known good image on a USB device, then mount the local drive and scan it for signs of compromise
Shell Knocker Server
Possible root causes
Malicious Detection
- An attacker has set up a backdoor on the server, allowing remote access via a shell knocker.
- Compromised server configured to listen for connection attempts from an attacker's machine.
- Malware installed on the server that opens a backdoor and awaits shell knocking sequences.
Benign Detection
- Legitimate security testing tools or penetration testing activities mimicking shell knocking behavior.
- Custom applications or scripts configured to listen for specific connection attempts for administrative purposes.
- Misconfigured network services inadvertently behaving in a way that resembles shell knocking.
Shell Knocker Server
Example scenarios
Scenario 1: An internal server begins to receive high volumes of connection attempts on a non-standard port. Investigation reveals that the server is compromised, and the attacker has set up a shell knocker to gain remote access.
Scenario 2: A sudden spike in network traffic is detected, targeting specific sequences of connection attempts to a server. Further analysis indicates that a penetration testing team was performing a scheduled security assessment.
Shell Knocker Server
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Unauthorized Remote Access
Successful shell knocking can provide attackers with a backdoor into the network, leading to unauthorized access to sensitive data and systems.
Network Compromise
Attackers can use the compromised server as a pivot point for lateral movement, further compromising the network.
Data Exfiltration
Unauthorized access facilitated by shell knocking can lead to data breaches, resulting in potential financial and reputational damage.
Shell Knocker Server
Steps to investigate
Analyze Network Traffic Logs
Review logs for unusual traffic patterns to the server, focusing on non-standard ports and connection attempts from external IP addresses.
Examine Server Configuration
Check the server for signs of unauthorized changes, such as new services running, modified firewall rules, and unexpected open ports.
Investigate Authentication Logs
Look for gaps or anomalies in authentication logs that might indicate shell knocking attempts bypassing standard authentication.
Consult with IT and Security Teams
Verify if any legitimate security assessments or administrative tasks could explain the detected behavior.
Shell Knocker Server
MITRE ATT&CK techniques covered
Shell Knocker Server
Related detections
FAQs
What is a Shell Knocker Server?
A Shell Knocker Server is a system configured to listen for specific sequences of connection attempts designed to bypass standard authentication, allowing attackers to gain unauthorized remote access.
How can I detect a Shell Knocker Server in my network?
Detect Shell Knocker Servers by monitoring for unusual network traffic patterns, specific connection sequences, and anomalous system behavior indicating the presence of backdoors.
What are the common signs of a Shell Knocker Server?
Common signs include high volumes of connection attempts to non-standard ports, servers responding to unauthorized connection attempts, and unexpected changes in server configuration.
Why are Shell Knocker Servers a significant threat?
They can provide attackers with unauthorized remote access, leading to network compromise, data exfiltration, and further malicious activities.
Can legitimate software trigger this detection?
Yes, legitimate security testing tools, custom administrative scripts, and misconfigured services can generate behavior resembling shell knocking.
What steps should I take if I detect a Shell Knocker Server?
Investigate the source and nature of the connection attempts, check for unauthorized changes on the server, review authentication logs, and consult with IT and security teams to verify if the activity is legitimate.
How does Vectra AI identify Shell Knocker Servers?
Vectra AI uses advanced AI algorithms and machine learning to analyze network traffic and system behavior, identifying anomalies indicative of shell knocking activities.
What tools can help verify the presence of a Shell Knocker Server?
Tools such as network traffic analysis, firewall logs, and system configuration audits can help verify and investigate suspicious shell knocker server activities.
What is the business impact of a Shell Knocker Server?
It can lead to unauthorized remote access, network compromise, and data exfiltration, resulting in financial and reputational damage.
How can I prevent Shell Knocker Servers?
Implement robust network monitoring and alerting, enforce strict access controls, regularly conduct security assessments, and ensure timely patching and updating of systems to minimize vulnerabilities.