Description
Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.(Citation: haking9 libpcap network sniffing) Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with Protocol Tunneling.(Citation: exatrack bpf filters passive backdoors)(Citation: Leonardo Turla Penquin May 2020)
Filters can be installed on any Unix-like platform with libpcap installed or on Windows hosts using Winpcap. Adversaries may use either libpcap with pcap_setfilter or the standard library function setsockopt with SO_ATTACH_FILTER options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.
Platforms
Mitigations (1)
Filter Network TrafficM1037
Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S1224 | CASTLETAP | Malware | [CASTLETAP](https://attack.mitre.org/software/S1224) can listen for a specialized ICMP packet for activation on compromised network devices.(Citation:... |
| S1161 | BPFDoor | Malware | [BPFDoor](https://attack.mitre.org/software/S1161) uses BPF bytecode to attach a filter to a network socket to view ICMP, UDP, or TCP packets coming t... |
| S1123 | PITSTOP | Malware | [PITSTOP](https://attack.mitre.org/software/S1123) can listen and evaluate incoming commands on the domain socket, created by PITHOOK malware, located... |
| S0587 | Penquin | Malware | [Penquin](https://attack.mitre.org/software/S0587) installs a `TCP` and `UDP` filter on the `eth0` interface.(Citation: Leonardo Turla Penquin May 202... |
References
- ExaTrack. (2022, May 11). Tricephalic Hellkeeper: a tale of a passive backdoor. Retrieved October 18, 2022.
- Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
- Luis Martin Garcia. (2008, February 1). Hakin9 Issue 2/2008 Vol 3 No.2 VoIP Abuse: Storming SIP Security. Retrieved October 18, 2022.
Frequently Asked Questions
What is T1205.002 (Socket Filters)?
T1205.002 is a MITRE ATT&CK technique named 'Socket Filters'. It belongs to the Stealth, Persistence, Command and Control tactic(s). Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `...
How can T1205.002 be detected?
Detection of T1205.002 (Socket Filters) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1205.002?
There are 1 documented mitigations for T1205.002. Key mitigations include: Filter Network Traffic.
Which threat groups use T1205.002?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.