Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0462: Analytic 0462

Adversary installs/uses packet-capture or raw-socket capability (WinPcap/Npcap, wpcap/packet DLLs or raw socket attach) and sets a filter. A crafted inbound packet is observed; within a short window the host process that loaded capture libraries initiates an outbound connection (e.g., reverse shell) to the packet origin.

EnterpriseAN0462AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it looks for a Windows host behaving like it is using packet capture or raw-socket capability to wait for a specific inbound packet and then quickly initiate an outbound connection back to the packet source. For leaders, the decision value is whether endpoint, network, and SOC telemetry can connect those events into one timeline, because isolated logs may look benign while the sequence may indicate covert command initiation or reverse connectivity behavior.

Executive priority

Prioritize this as a validation question for Windows endpoint visibility and incident response readiness: can the organization prove which hosts load packet-capture components, observe suspicious inbound packets, and then create outbound connections in a short window? This supports operational resilience and audit evidence by showing whether SOC teams can investigate unusual host-level network behavior rather than relying only on perimeter alerts.

Technical view

On Windows, validate whether telemetry can identify processes loading WinPcap/Npcap-related components such as wpcap or packet DLLs, use of raw sockets or packet-capture capability, inbound packet observations, applied capture filters where visible, and subsequent outbound connections from the same host process to the packet origin within a short time window. Because no official detection logic is provided, teams should build and test correlation logic carefully and confirm process-to-network attribution is reliable.

Likely telemetry

  • Windows process execution and process lineage telemetry
  • Module/DLL load telemetry for packet-capture libraries such as wpcap/packet-related components
  • Endpoint network connection telemetry with process attribution
  • Network sensor or host firewall logs showing inbound packet source and outbound destination
  • Evidence of packet-capture driver or library installation/use, such as WinPcap or Npcap-related artifacts

Detection direction

  • Correlate three conditions: packet-capture or raw-socket capability present, inbound packet observed from a source, and outbound connection from the related host process to that same source shortly afterward.
  • Tune for legitimate administrative, troubleshooting, monitoring, and security tools that use packet-capture libraries to reduce false positives.
  • Validate whether the environment captures DLL/module loads; without this, the analytic may need to rely on weaker indicators such as installed capture tools plus network behavior.
  • Confirm process-level network attribution, not just host-level traffic, because host-only correlation can misidentify the responsible process.
  • Review short-window timing assumptions against local logging latency and clock synchronization.

Mitigation priorities

  • Inventory and govern approved packet-capture tools and drivers on Windows systems.
  • Restrict installation and use of packet-capture components to authorized administrators and monitored security tooling.
  • Ensure endpoint logging captures process, module-load, and network-connection evidence needed for investigation.
  • Apply egress controls and monitoring so unexpected outbound connections from endpoints are visible and reviewable.
  • Include this behavior in incident response playbooks for suspicious Windows network activity, emphasizing timeline reconstruction and process attribution.
Analyst notes and limits

The supplied object is a detection analytic, not a technique, and no ATT&CK tactics or relationships were provided. The strongest use is as a coverage test for Windows endpoint and network telemetry correlation around packet-capture capability and rapid outbound response behavior.

Official detection content is not provided, relationship context is absent, and only Windows is supported by the supplied fields. Local baselining is required because legitimate packet-capture and security tools may produce overlapping telemetry. This summary does not assert active exploitation, attribution, or existing detection coverage.

Official MITRE ATT&CK definition

Analytic 0462

Adversary installs/uses packet-capture or raw-socket capability (WinPcap/Npcap, wpcap/packet DLLs or raw socket attach) and sets a filter. A crafted inbound packet is observed; within a short window the host process that loaded capture libraries initiates an outbound connection (e.g., reverse shell) to the packet origin.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1302b9221133a349...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1302b9221133…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0462
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use