Esc

Socket Filters - T1205.002

(ATT&CK® Technique)

Definition

Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1205002["Socket Filters"] --> |produces| NetworkTraffic["Network Traffic"]; class T1205002 OffensiveTechniqueNode;
        class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
        click T1205002 href "/offensive-technique/attack/T1205.002/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";  Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1205002["Socket Filters"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1205002["Socket Filters"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1205002["Socket Filters"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1205002["Socket Filters"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1205002["Socket Filters"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1205002["Socket Filters"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1205002["Socket Filters"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | NetworkTraffic["Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1205002["Socket Filters"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";

json