Skip to content

DET0162 Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002)

Item Value
ID DET0162
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1205.002 (Socket Filters)

Analytics

Windows

AN0462

Adversary installs/uses packet-capture or raw-socket capability (WinPcap/Npcap, wpcap/packet DLLs or raw socket attach) and sets a filter. A crafted inbound packet is observed; within a short window the host process that loaded capture libraries initiates an outbound connection (e.g., reverse shell) to the packet origin.

Log Sources
Data Component Name Channel
Service Creation (DC0060) WinEventLog:System EventCode=7045
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Driver Load (DC0079) WinEventLog:Sysmon EventCode=6
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Network Traffic Content (DC0085) NSM:Flow Single, low-volume inbound packet (REJ/S0/OTH or uncommon dport/protocol) from src_ip followed by outbound SF connection to src_ip.
Mutable Elements
Field Description
TimeWindow Seconds to correlate inbound trigger → process library load/driver start → outbound connect (default 120s).
CaptureLibIndicators DLL/driver names to match (wpcap.dll, packet.dll, npcap.sys, npf.sys) – extend for EDR drivers in your fleet.
AllowedInstallers Signed/expected processes allowed to install/start Npcap (software distribution tools).
ReversePorts Likely egress ports to watch after trigger (4444, 53, 80/443, 8080, high ephemeral).

Linux

AN0463

Process creates a raw/packet socket and attaches a (e)BPF filter (setsockopt SO_ATTACH_FILTER/ATTACH_BPF or bpf(BPF_PROG_LOAD)). Immediately after a matching inbound packet, the same process binds/connects outward to a remote host (reverse shell or beacon).

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL socket(AF_PACKET
Network Connection Creation (DC0082) linux:osquery family=AF_PACKET or protocol raw; process name not in allowlist.
Network Traffic Content (DC0085) NSM:Flow Rare inbound packet characteristics (ICMP/UDP/TCP to uncommon port) from src_ip followed ≤TimeWindow by outbound SF from same host to src_ip.
Mutable Elements
Field Description
UserContext Flag raw-socket activity outside privileged daemons (root-only by default).
MinPayloadEntropy If using packet content (Zeek), treat high-entropy single-packet triggers as suspicious.
AFPacketAllowList System services allowed to open AF_PACKET (dhclient, keepalived, LLDP, monitoring agents).

macOS

AN0464

Process opens /dev/bpf* (libpcap) or loads NetworkExtension filter, then after a crafted inbound packet the same process initiates an outbound connection to the trigger origin.

Log Sources
Data Component Name Channel
Process Creation (DC0032) OpenBSM:AuditTrail open/openat of /dev/bpf*; ioctl BIOCSETF-like operations.
Network Connection Creation (DC0082) macos:unifiedlog First outbound connection from the same PID/user shortly after an inbound trigger.
Network Traffic Content (DC0085) NSM:Flow Inbound one-off packet to uncommon port → outbound SF to same src_ip within TimeWindow.
Mutable Elements
Field Description
BPFDevicePath Alternate BPF device paths if customized (default /dev/bpf*).
DeveloperMode Relax thresholds on known developer tooling hosts (Xcode, instrumenting tools).