1. Home
  2. Techniques
  3. Enterprise
  4. Traffic Signaling
  5. Socket Filters

Traffic Signaling: Socket Filters

ID Name
T1205.001 Port Knocking
T1205.002 Socket Filters

Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.

To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.[1] Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with Protocol Tunneling.[2][3]

Filters can be installed on any Unix-like platform with libpcap installed or on Windows hosts using Winpcap. Adversaries may use either libpcap with pcap_setfilter or the standard library function setsockopt with SO_ATTACH_FILTER options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.

ID: T1205.002
Sub-technique of:  T1205
Platforms: Linux, Windows, macOS
Contributors: CrowdStrike; Tim (Wadhwa-)Brown
Version: 1.0
Created: 30 September 2022
Last Modified: 20 October 2022
Version Permalink

Procedure Examples

ID Name Description
S0587 Penquin

Penquin installs a TCP and UDP filter on the eth0 interface.[3]
S1123 PITSTOP

PITSTOP can listen and evaluate incoming commands on the domain socket, created by PITHOOK malware, located at /data/runtime/cockpit/wd.fd for a predefined magic byte sequence. PITSTOP can then duplicate the socket for further communication over TLS.[4]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor recently started applications creating raw socket connections.[5]
DS0009 Process Process Creation

Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy.[5]

References

  1. Luis Martin Garcia. (2008, February 1). Hakin9 Issue 2/2008 Vol 3 No.2 VoIP Abuse: Storming SIP Security. Retrieved October 18, 2022.
  2. ExaTrack. (2022, May 11). Tricephalic Hellkeeper: a tale of a passive backdoor. Retrieved October 18, 2022.
  3. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  1. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  2. Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022.