AN0463: Analytic 0463

Process creates a raw/packet socket and attaches a (e)BPF filter (setsockopt SO_ATTACH_FILTER/ATTACH_BPF or bpf(BPF_PROG_LOAD)). Immediately after a matching inbound packet, the same process binds/connects outward to a remote host (reverse shell or beacon).

EnterpriseAN0463AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic describes a Linux behavior pattern where a process uses raw or packet sockets with a BPF/eBPF filter and then quickly initiates outbound network communication after a matching inbound packet. For security leaders, the practical concern is that this can represent stealthy trigger-based remote access or beacon behavior that may not look like a continuously listening service.

Executive priority

Prioritize this as a validation item for Linux server and workload monitoring where business-critical systems rely on strong incident detection and response. The key decision is whether the organization can correlate low-level socket/BPF activity with network connection timing; without that evidence, SOC teams may miss trigger-based access patterns or struggle to prove coverage during audits and incident reviews.

Technical view

SOC and detection teams should validate whether Linux telemetry captures process-level creation of raw or packet sockets, use of SO_ATTACH_FILTER, SO_ATTACH_BPF, ATTACH_BPF, or bpf(BPF_PROG_LOAD), and subsequent outbound bind/connect activity by the same process shortly after an inbound packet match. Because the ATT&CK object provides no official detection logic and no tactic mapping, teams should treat this as a behavior-correlation analytic rather than a standalone signature.

Likely telemetry

Linux process execution and process identity metadata
System call or kernel-level telemetry for socket creation and setsockopt activity
Telemetry for bpf(BPF_PROG_LOAD) or BPF/eBPF program loading
Network connection events showing inbound packets and outbound bind/connect activity
Process-to-network correlation data with timestamps

Detection direction

Confirm that Linux sensors can observe raw and packet socket creation, not only completed TCP/UDP connections.
Correlate BPF/eBPF filter attachment with near-term outbound connection attempts by the same process.
Tune for legitimate software that uses BPF/eBPF or packet sockets, such as monitoring, networking, tracing, or security tools.
Review whether containerized or privileged workloads reduce visibility into kernel, socket, or process context.
Use timing and same-process correlation to reduce false positives rather than alerting on all BPF/eBPF activity.

Mitigation priorities

Restrict unnecessary privileges that allow raw socket use or BPF/eBPF program loading on Linux systems.
Inventory and approve legitimate tools that require packet capture, tracing, or BPF/eBPF functionality.
Ensure endpoint and audit policies collect the telemetry needed for process, socket, BPF/eBPF, and network correlation.
Apply least-privilege and workload hardening to Linux servers and sensitive workloads.
Prepare incident response playbooks to investigate suspicious same-process inbound-triggered outbound connections.

Analyst notes and limits

This object is a detection analytic, not a technique description. Its value is in testing whether Linux monitoring can connect kernel/socket behavior to network activity. The absence of relationship context means no supported attribution, campaign linkage, or specific ATT&CK tactic should be inferred.

Official detection text and relationship context were not supplied. The object only supports Linux platform coverage and the described behavior pattern. Local baselining is required because legitimate observability, networking, and security tools may use BPF/eBPF or raw/packet sockets.

Official MITRE ATT&CK definition

Analytic 0463

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 215337e3557c6aba...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`215337e3557c…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0463
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use