Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1255: Analytic 1255

ICMP or raw socket traffic generated by user-mode processes like bash, Python, or nc, typically using `ping`, `hping3`, or crafted packets via libpcap or scapy.

EnterpriseAN1255AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic points to a Linux monitoring concern: user-mode tools such as shells, Python, nc, ping, hping3, or packet-crafting libraries generating ICMP or raw socket traffic. For leaders, the value is not the tool name—it is whether the organization can distinguish expected diagnostics from unusual process-driven network activity that may matter during an investigation or outage.

Executive priority

Treat this as a coverage-validation item for Linux estates. Security leaders should ask whether SOC and IR teams can connect network-level ICMP/raw socket activity back to the originating host, user, and process. That evidence can support incident scoping, operational resilience decisions, and audit discussions about endpoint and network telemetry completeness. Because ATT&CK provides no tactic or detection logic here, priority should be based on local Linux criticality, exposure, and whether raw-socket-capable utilities are common in the environment.

Technical view

Validate telemetry for Linux hosts where user-mode processes generate ICMP or raw socket traffic. The supplied analytic description specifically references bash, Python, nc, ping, hping3, libpcap, and scapy-style crafted packets. SOC teams should test whether they can observe process identity, command context where available, user/session context, socket or packet metadata, and destination information, then correlate that with network sensor observations. Since no official detection logic is provided, detections should be environment-tuned around unexpected parent processes, unusual users, uncommon binaries or interpreters, and raw/ICMP activity from systems where such traffic is not normally used for diagnostics.

Likely telemetry

  • Linux process creation and process lineage telemetry
  • Command-line or script execution metadata where collected
  • User and session context for the process generating traffic
  • Endpoint network connection or socket activity telemetry, especially ICMP/raw socket indicators
  • Network sensor or flow records showing ICMP traffic

Detection direction

  • Confirm whether endpoint telemetry can attribute ICMP/raw socket activity to a specific Linux process, not only to an IP address.
  • Baseline legitimate use of ping and other diagnostic tools to reduce noise from administrators, monitoring systems, and troubleshooting workflows.
  • Look for unusual combinations such as interpreters or shells generating ICMP/raw traffic, especially from sensitive servers or non-administrative users.
  • Correlate host process evidence with network observations so analysts can validate whether traffic was expected or anomalous.
  • Account for blind spots: network-only telemetry may miss the originating process, while endpoint-only telemetry may lack packet-level context.

Mitigation priorities

  • Prioritize telemetry completeness before control changes: ensure Linux endpoint and network data can be joined during investigations.
  • Restrict raw-socket-capable utilities and packet-crafting libraries to users and systems with a legitimate operational need, where consistent with business requirements.
  • Use least privilege and administrative access controls to limit who can run diagnostic or packet-crafting tools on critical Linux systems.
  • Document approved diagnostic workflows so SOC teams can distinguish expected troubleshooting from activity requiring review.
  • Review monitoring and compliance evidence for critical Linux assets to confirm process, user, and network attribution are retained for incident response.
Analyst notes and limits

This object is a detection analytic, not a technique description. It is platform-scoped to Linux and describes ICMP or raw socket traffic from user-mode processes, but it does not provide ATT&CK tactics, related techniques, relationships, or official detection logic. The main defensive value is a practical telemetry and tuning checklist for Linux process-to-network attribution.

No relationship context, tactic mapping, mitigation text, or official detection logic was supplied. This take does not infer adversary use, active exploitation, impact, attribution, or detection coverage. Local baselines are required because ICMP and diagnostic tools can be normal administrative activity.

Official MITRE ATT&CK definition

Analytic 1255

ICMP or raw socket traffic generated by user-mode processes like bash, Python, or nc, typically using `ping`, `hping3`, or crafted packets via libpcap or scapy.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
352b9aa3a6909e10...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 352b9aa3a690…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1255
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use