T1205.002: Socket Filters
Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap
library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria. Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with Protocol Tunneling.
Filters can be installed on any Unix-like platform with libpcap
installed or on Windows hosts using Winpcap
. Adversaries may use either libpcap
with pcap_setfilter
or the standard library function setsockopt
with SO_ATTACH_FILTER
options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.
Positive Technologies products that cover the technique
Description of detection methods is not available yet
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor recently started applications creating raw socket connections. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy. |
---|
Mitigation
ID | M1037 | Name | Filter Network Traffic | Description | Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented. |
---|