Traffic Signaling: Socket Filters

Created the Tuesday 07 March 2023. Updated 6 months, 3 weeks ago.

Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.

To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria. Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with Protocol Tunneling.

Filters can be installed on Windows hosts using Winpcap.

Technique Identifier

T1205.002

Technique Tags

Defense Evasion Persistence Command and Control network socket filtering activate backdoors Winpcap Protocol Tunneling raw socket connections

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Traffic Signaling: Socket Filters, Sub-technique T1205.002 - Enterprise | MITRE ATT&CK®