Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0162: Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002)

DET0162 is a MITRE detection strategy for behavior associated with Socket Filters (T1205.002): a backdoor-style pattern where filtered network traffic can...

EnterpriseDET0162Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0162 is a MITRE detection strategy for behavior associated with Socket Filters (T1205.002): a backdoor-style pattern where filtered network traffic can trigger on-host raw-socket activity and a reverse connection. For leaders, the significance is not the filter itself, but the possibility that normal-looking network traffic can be used as a quiet activation mechanism for persistence or command-and-control.

Executive priority

Prioritize this as a resilience and visibility question: can the organization prove it would see privileged raw-socket use, unusual socket filtering, and follow-on outbound connections on Linux, macOS, and Windows systems where T1205.002 is relevant? This matters for incident response scoping, command-and-control containment, and audit evidence around endpoint and network monitoring. Because the detection strategy has no official MITRE detection text, teams should treat it as a validation prompt rather than an out-of-the-box analytic.

Technical view

SOC and detection teams should validate coverage around the relationship-defined behavior for T1205.002: socket filters used to monitor traffic and activate backdoors for stealth, persistence, or command-and-control. Focus on correlating three evidence points implied by the strategy name: a network/socket-filter trigger, on-host raw-socket activity, and a subsequent reverse connection. Since the detection strategy object does not specify platforms or detection logic, use the related technique context for Linux, macOS, and Windows and tune against local endpoint, network, and privilege telemetry.

Likely telemetry

  • Endpoint process and command execution telemetry involving raw sockets or packet capture/filtering libraries where available
  • Privilege or permission telemetry related to elevated network socket access
  • Network connection telemetry showing unusual outbound or reverse-connection behavior after inbound traffic patterns
  • Host-based network sensor or EDR events for packet capture, socket creation, or network interface monitoring
  • Network flow, firewall, proxy, or IDS evidence that can correlate triggering traffic with later outbound connections

Detection direction

  • Validate whether telemetry can correlate inbound or observed trigger traffic to near-term host raw-socket activity and outbound connection creation.
  • Tune detections for rare or unauthorized raw-socket and packet-filter activity, while accounting for legitimate administrative, monitoring, troubleshooting, and security tools that may use similar capabilities.
  • Use relationship context to map detections to stealth, persistence, and command-and-control investigation workflows rather than treating the event as a standalone network anomaly.
  • Check blind spots on endpoints where raw-socket, packet capture, or low-level network activity is not collected or is collected without process/user context.
  • Because MITRE provides no official detection text for DET0162, require local baselining and validation before using alerts as high-confidence indicators.

Mitigation priorities

  • Limit elevated permissions required for raw-socket and packet-filter activity to approved administrators, services, and security tools.
  • Maintain endpoint and network monitoring capable of tying low-level socket activity to process, user, host, and outbound connection context.
  • Baseline legitimate packet capture, network monitoring, and troubleshooting activity so detections can distinguish expected operations from suspicious persistence or command-and-control patterns.
  • Ensure incident response playbooks include containment and scoping steps for hosts showing suspicious socket-filter activity plus reverse connections.
  • Review control evidence for compliance and resilience programs: endpoint logging coverage, network flow retention, privileged access governance, and alert triage procedures.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description or detection content. The most useful interpretation comes from its name and its relationship to T1205.002 Socket Filters, which describes adversaries attaching filters to network sockets to monitor traffic and activate backdoors for persistence or command-and-control.

Platforms and tactics are not specified on the detection strategy itself; Linux, macOS, Windows and stealth, persistence, command-and-control come from the related T1205.002 technique context. No active exploitation, attribution, specific tool use, or guaranteed detection coverage is asserted from the supplied data.

Official MITRE ATT&CK definition

Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1205.002 Socket Filters Sub-technique This object detects Socket Filters.
Relationship explorer

All related ATT&CK context

detects · Technique T1205.002: Socket Filters Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
432915be7ccccebe...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 432915be7ccc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0162
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use