Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1205.002: Socket Filters

Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.

To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.[1] Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with Protocol Tunneling.[2][3]

Filters can be installed on any Unix-like platform with `libpcap` installed or on Windows hosts using `Winpcap`. Adversaries may use either `libpcap` with `pcap_setfilter` or the standard library function `setsockopt` with `SO_ATTACH_FILTER` options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.

EnterpriseT1205.002Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Socket Filters is a passive backdoor trigger pattern: an attacker with elevated access can attach a packet filter to a raw socket and wait for a specially crafted packet before activating a shell, implant behavior, ping-back, or command-and-control path. Its business significance is that the compromised host may look quiet until signaled, which can weaken confidence in “no beaconing observed” conclusions during incident response or audit reviews.

Executive priority

Prioritize this where Linux, macOS, or Windows systems have elevated network privileges, exposed interfaces, or roles where covert persistence would materially affect continuity. Leaders should ask whether endpoint and network controls can prove visibility into raw-socket activity, packet-filter attachment, unusual reverse connections after inbound packets, and ingress/egress filtering. The relationship context to Traffic Signaling and known software examples means this is relevant to persistence and C2 readiness, not just malware cleanup.

Technical view

ATT&CK provides no official detection text, but the related DET0162 strategy frames useful validation: look for socket-filter trigger activity followed by on-host raw-socket activity and a reverse connection. SOC and IR teams should validate telemetry on libpcap/WinPcap use, pcap_setfilter, setsockopt with SO_ATTACH_FILTER, raw socket creation, privileged processes opening interfaces in promiscuous or packet-capture modes, and network sessions that begin immediately after unusual inbound TCP, UDP, ICMP, or other crafted traffic. Treat this as a low-noise but high-blind-spot behavior because the socket may be dormant until triggered.

Likely telemetry

  • Endpoint process and command-line telemetry for packet-capture tooling, libraries, and privileged network access
  • System call or EDR telemetry for raw sockets, setsockopt, SO_ATTACH_FILTER, and pcap_setfilter where available
  • Packet capture or network sensor evidence of unusual inbound trigger packets and subsequent outbound or reverse connections
  • Firewall, host firewall, and egress filtering logs showing allowed or denied inbound and outbound traffic
  • File and package inventory for libpcap, WinPcap, or related packet-capture components on sensitive hosts

Detection direction

  • Baseline legitimate packet capture and monitoring tools to reduce false positives from administrators, EDR, NDR, and network troubleshooting utilities.
  • Correlate rare raw-socket or filter-attachment events with subsequent reverse shells, ping-backs, implant installation behavior, or C2-like traffic rather than alerting on library presence alone.
  • Validate coverage on Linux, macOS, and Windows separately; raw-socket and packet-filter visibility differs by operating system and sensor capability.
  • Hunt for traffic-signaling patterns: unusual packets to a host followed by new process execution, shell invocation, or outbound network activity.
  • Review high-value servers, VPN/security appliances where telemetry is available, and systems with exposed interfaces, while noting the ATT&CK platform field for this sub-technique lists Linux, macOS, and Windows.

Mitigation priorities

  • Implement M1037-style ingress, egress, and lateral traffic filtering so only authorized sources, destinations, and protocols can reach sensitive systems.
  • Restrict elevated privileges required to open raw sockets or install packet filters; review which users, services, and tools genuinely need packet-capture capability.
  • Harden and monitor systems that legitimately require libpcap, WinPcap, or similar functionality, especially externally reachable or high-trust hosts.
  • Use host firewalls and network segmentation to reduce the chance that crafted trigger packets reach systems and to constrain any reverse connection that follows.
  • Include raw-socket and passive-backdoor checks in incident response playbooks before concluding a host is inactive or clean based only on lack of beaconing.
Analyst notes and limits

This sub-technique is a specific form of Traffic Signaling (T1205) used for stealth, persistence, and command-and-control. ATT&CK relationships list Penquin, PITSTOP, BPFDoor, and CASTLETAP as software using this behavior, but those relationships should inform detection engineering and threat modeling rather than imply current exposure or attribution in any environment.

The official ATT&CK object does not provide a detection section, so defensive guidance is inferred from the description, mitigation relationship M1037, and detection strategy relationship DET0162. Local sensor capability, operating system controls, and legitimate packet-capture usage determine whether this can be detected reliably.

Official MITRE ATT&CK definition

Socket Filters

Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.

To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.[1] Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with Protocol Tunneling.[2][3]

Filters can be installed on any Unix-like platform with `libpcap` installed or on Windows hosts using `Winpcap`. Adversaries may use either `libpcap` with `pcap_setfilter` or the standard library function `setsockopt` with `SO_ATTACH_FILTER` options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1205 Traffic Signaling This object subtechnique of Traffic Signaling.
Associated objects

Groups, software, and campaigns

Malware Enterprise

S1161: BPFDoor

BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, BPFDoor is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. BPFDoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.[1][2]

Linux
Relationship explorer

All related ATT&CK context

uses · Malware S1224: CASTLETAP Enterprise uses · Malware S1161: BPFDoor Enterprise detects · Detection Strategy DET0162: Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002) Enterprise mitigates · Mitigation M1037: Filter Network Traffic Enterprise subtechnique of · Technique T1205: Traffic Signaling Enterprise uses · Malware S1123: PITSTOP Enterprise uses · Malware S0587: Penquin Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1037: Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:

Ingress Traffic Filtering:

- Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers. - Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.

Egress Traffic Filtering:

- Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications. - Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.

Protocol-Based Filtering:

- Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs. - Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.

Network Segmentation:

- Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized. - Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.

Application Layer Filtering:

- Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic. - Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
13627d38f101a256...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 13627d38f101…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    haking9 libpcap network sniffing

    Luis Martin Garcia. (2008, February 1). Hakin9 Issue 2/2008 Vol 3 No.2 VoIP Abuse: Storming SIP Security. Retrieved October 18, 2022.

    Open source URL
  2. [2]
    exatrack bpf filters passive backdoors

    ExaTrack. (2022, May 11). Tricephalic Hellkeeper: a tale of a passive backdoor. Retrieved October 18, 2022.

    Open source URL
  3. [3]
    Leonardo Turla Penquin May 2020

    Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.

    Open source URL
  4. [4]
    mitre-attack T1205.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use