AN0205: Analytic 0205
`socat`, `ssh`, `iptables`, or `ncat` invoked from user space or cron jobs to create port forwarding, reverse shells, or inter-host tunnels between compromised Linux systems. Behavior is typically paired with socket activity and high entropy traffic.
Analyst context for executives and security teams
This analytic is about Linux systems using common user-space tools such as socat, ssh, iptables, or ncat to create forwarding paths, reverse shells, or tunnels between compromised hosts. For leaders, the practical issue is not the tool names alone: these behaviors can turn one affected Linux host into a relay point, complicating containment, segmentation, and incident scoping.
Executive priority
Prioritize this where Linux servers support critical services, administration paths, or segmented environments. Security leaders should ask whether SOC teams can see unexpected tunnel creation, cron-driven network activity, and unusual encrypted or high-entropy traffic between internal hosts. This is relevant to incident response readiness, network segmentation assurance, and audit evidence that administrative access and lateral movement controls are monitored.
Technical view
Validate Linux telemetry for executions of socat, ssh, iptables, or ncat from interactive user space and scheduled cron contexts, correlated with new listening sockets, outbound connections, port forwarding behavior, or unusual inter-host traffic. Because no official detection logic or tactics are supplied, teams should treat this as a behavior-validation requirement rather than a ready-to-deploy rule. Focus on deviations from known administrative baselines and authorized automation.
Likely telemetry
- Linux process execution telemetry including command line and parent process
- Cron job creation, modification, and execution records
- Network socket and connection telemetry from Linux hosts
- Firewall or packet-filter configuration changes involving iptables
- Network flow data showing inter-host tunnels, port forwarding patterns, or unusual encrypted/high-entropy traffic
Detection direction
- Baseline legitimate use of ssh, socat, ncat, and iptables by administrators and automation before alerting on tool names alone.
- Correlate process execution with socket activity; isolated command execution may be noisy, while command execution plus new listeners, forwarding behavior, or unusual destinations is more decision-useful.
- Review cron-launched instances of these tools carefully, since scheduled execution can indicate persistence or recurring tunnel setup, but may also reflect legitimate operations.
- Tune for Linux environments specifically; no other platforms are supplied for this analytic.
- Account for blind spots where endpoint telemetry lacks full command-line capture, where encrypted traffic cannot be inspected, or where network flow data is not tied back to host process context.
Mitigation priorities
- Establish and document approved administrative tunneling and port-forwarding use cases on Linux systems.
- Restrict who can install or execute uncommon networking utilities where operationally feasible.
- Monitor and review cron entries and privileged network configuration changes on critical Linux hosts.
- Strengthen segmentation controls so a single Linux host cannot easily become an unauthorized relay between zones.
- Ensure incident response playbooks include rapid validation of active sockets, scheduled jobs, and recent firewall or tunnel configuration changes.
Analyst notes and limits
The object is a detection analytic for Linux and describes behavior involving user-space or cron-launched tunneling and forwarding utilities. It has no supplied tactic mapping, no official detection text, and no relationship context, so local baselines and telemetry availability are essential to operationalize it.
This take is limited to the supplied ATT&CK fields and external reference. It does not assert active exploitation, actor use, impact, or guaranteed detection coverage. The analytic names relevant tools and behaviors but does not provide formal detection logic, thresholds, or false-positive guidance.
Analytic 0205
`socat`, `ssh`, `iptables`, or `ncat` invoked from user space or cron jobs to create port forwarding, reverse shells, or inter-host tunnels between compromised Linux systems. Behavior is typically paired with socket activity and high entropy traffic.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fccc463413ce… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0205Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.