| ID | X0020 |
| Aliases | None |
| Platforms | Cisco |
| Year | 2015 |
| Associated ATT&CK Software | None |
SYNful Knock is a modification of the router's firmware images used to maintain persistence. [1]
| Name | Use |
|---|---|
| Persistence::Component Firmware::Router Firmware (F0009.001) | SYNful Knock is a stealthy modification of the router's firmware image that can be used to maintain persistence within a victim's network. [1] |
| Defense Evasion::Hijack Execution Flow (F0015) | SYNful Knock hooks iOS functions to call and initialize the malware. [1] |
| Name | Use |
|---|---|
| Memory::Change Memory Protection (C0008) | SYNful Knock modifies the translation lookaside buffer (TLB) Read/Write attributes. [1] |
| Communication::Socket Communication::Send TCP Data (C0001.014) | To initiate communication with the C2 server, a uniquely crafted TCP SYN packet is sent to port 80 of the "implanted" router. [1] |
| Defense Evasion::Alternative Installation Location::Fileless Malware (B0027.001) | 100 memory-resident modules can be installed. [1] |