Shell Knocker Client

Shell Knocker Client

Signs of Shell Knocker Client

  • The host is communicating in an unusual manner with an internal server on a port that has previously shown a stable pattern for requests and responses
  • The request sent to the internal server and the response received from it don’t conform to any of the previously observed patterns
  • The threat score is driven by either the duration of the connection between the client and the server; if the server returns a null response, the threat score is driven by the size of the client request
  • The certainty score is driven by the level of dissimilarity between normal patterns of communication and the flagged communication

Possible root Cause of a Shell Knocker Client

  • The server has been compromised and the port has been hijacked to enable communication to the compromised part of the system without requiring a new port to be utilized for the communication
  • The client or the server has been recently upgraded and the pattern of use on the server port has changed
  • This client has an unusual configuration in that it communicates with the port on the server in a manner unlike all the other observed communication on that port

Business Impact of a Shell Knocker Client

  • Port hijacking is a technique attackers use to enable communication to a compromised server without raising alarms which may go off when a new port is used on an existing server
  • Compromised servers are often more valuable than compromised laptops as they remain on the network at all times and are often located in the data center where most of an organization’s important data resides

How to Investigate Shell Knocker Clients

  1. See if the pattern of the flagged request and response represent acceptable deviations from the normal patterns or are significant departures such as binary data in an otherwise character-based protocol
  2. Inquire whether the software which emitted the request on this host has recently been updated as this may cause detections for a short period of time after the update
  3. Inquire whether the software on the server which responded to the request has recently been updated as this may cause detections for a short period of time after the update
  4. If the changed pattern remains unexplained, boot the client and server using a known good image on a USB device, then mount the local drive and scan it for signs of compromise

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections