AN1484: Analytic 1484
sshd, socat, or custom binaries initiating port forwarding or encapsulating traffic (e.g., RDP, SMB) through SSH or HTTP. Defender sees abnormal connect/bind syscalls, encrypted traffic on ports typically used for non-encrypted services, and outlier traffic volume patterns.
Analyst context for executives and security teams
This analytic highlights Linux systems using sshd, socat, or custom binaries to forward ports or encapsulate traffic such as RDP or SMB through SSH or HTTP. For leaders, the practical issue is loss of network visibility: sensitive administrative or file-sharing traffic may be hidden inside allowed encrypted channels, making perimeter rules and basic port-based monitoring less reliable.
Executive priority
Prioritize this as a visibility and control-validation issue for Linux environments. Security leaders should ask whether the SOC can distinguish approved tunneling or remote administration from abnormal forwarding behavior, whether encrypted traffic on unexpected service ports is reviewed, and whether incident responders have host and network evidence to determine what was tunneled during an investigation. It is especially relevant to resilience, audit evidence, and control assurance where Linux servers can bridge internal services or bypass expected network segmentation.
Technical view
ATT&CK provides a Linux-focused analytic description, but no formal detection logic. SOC and detection teams should validate whether they can observe abnormal connect and bind syscalls from sshd, socat, or non-standard binaries, correlate those events with network flows, and identify encrypted traffic appearing on ports normally associated with non-encrypted services. Because no tactics or relationships are supplied, treat this as a behavioral detection pattern rather than a fully scoped ATT&CK technique mapping.
Likely telemetry
- Linux process execution telemetry for sshd, socat, and unusual or custom binaries
- Linux syscall or endpoint telemetry showing connect and bind activity
- Network flow records showing source, destination, port, protocol, and traffic volume
- Evidence of encrypted sessions on ports commonly expected to carry non-encrypted services
- Traffic volume baselines for Linux hosts and administrative services
Detection direction
- Baseline legitimate SSH, socat, and administrative forwarding activity before alerting aggressively.
- Look for outlier connect/bind behavior from Linux hosts, especially where the initiating process is sshd, socat, or an uncommon binary.
- Correlate host process/syscall evidence with network flow anomalies, including encrypted traffic on unexpected ports and unusual traffic volumes.
- Tune for sanctioned remote administration, maintenance tooling, and backup or monitoring workflows to reduce false positives.
- Review blind spots where endpoint telemetry does not capture syscalls, where network sensors cannot classify encrypted traffic, or where logs cannot link processes to connections.
Mitigation priorities
- Inventory and approve legitimate port forwarding and tunneling use on Linux systems.
- Restrict unnecessary forwarding tools and binaries where operationally feasible.
- Harden SSH configuration and administrative access paths according to local policy.
- Ensure network segmentation and firewall rules do not rely only on service port assumptions.
- Maintain host and network logging sufficient for incident response reconstruction of tunneled activity.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a full technique entry. It names Linux as the supported platform and describes observable behavior involving sshd, socat, custom binaries, port forwarding, encapsulated traffic, abnormal connect/bind syscalls, encrypted traffic on unusual ports, and traffic-volume outliers. No tactic, relationship, alias, or official detection logic was supplied.
This take is limited to the provided STIX fields and one MITRE external reference. It does not establish attacker intent, attribution, prevalence, active exploitation, business impact, or guaranteed detectability. Local baselines, approved administration patterns, and available host/network telemetry are required to determine coverage and priority.
Analytic 1484
sshd, socat, or custom binaries initiating port forwarding or encapsulating traffic (e.g., RDP, SMB) through SSH or HTTP. Defender sees abnormal connect/bind syscalls, encrypted traffic on ports typically used for non-encrypted services, and outlier traffic volume patterns.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4a534b9fe264… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1484Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.