| ID | Name |
|---|---|
| T1205.001 | Port Knocking |
| T1205.002 | Socket Filters |
Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.[1] Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with Protocol Tunneling.[2][3]
Filters can be installed on any Unix-like platform with libpcap installed or on Windows hosts using Winpcap. Adversaries may use either libpcap with pcap_setfilter or the standard library function setsockopt with SO_ATTACH_FILTER options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.
| ID | Name | Description |
|---|---|---|
| S1161 | BPFDoor |
BPFDoor uses BPF bytecode to attach a filter to a network socket to view ICMP, UDP, or TCP packets coming through ports 22 (ssh), 80 (http), and 443 (https). When BPFDoor finds a packet containing its "magic" bytes, it parses out two fields and forks itself. The parent process continues to monitor filtered traffic while the child process executes the instructions from the parsed fields.[4][5] |
| S1224 | CASTLETAP |
CASTLETAP can listen for a specialized ICMP packet for activation on compromised network devices.[6] |
| S0587 | Penquin |
Penquin installs a |
| S1123 | PITSTOP |
PITSTOP can listen and evaluate incoming commands on the domain socket, created by PITHOOK malware, located at |
| ID | Mitigation | Description |
|---|---|---|
| M1037 | Filter Network Traffic |
Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0162 | Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002) | AN0462 |
Adversary installs/uses packet-capture or raw-socket capability (WinPcap/Npcap, wpcap/packet DLLs or raw socket attach) and sets a filter. A crafted inbound packet is observed; within a short window the host process that loaded capture libraries initiates an outbound connection (e.g., reverse shell) to the packet origin. |
| AN0463 |
Process creates a raw/packet socket and attaches a (e)BPF filter (setsockopt SO_ATTACH_FILTER/ATTACH_BPF or bpf(BPF_PROG_LOAD)). Immediately after a matching inbound packet, the same process binds/connects outward to a remote host (reverse shell or beacon). |
||
| AN0464 |
Process opens /dev/bpf* (libpcap) or loads NetworkExtension filter, then after a crafted inbound packet the same process initiates an outbound connection to the trigger origin. |