T1205.002

Socket Filters

Defense Evasion Persistence Command and Control

Adversaries may attach Berkeley Packet Filter (BPF) programs or libpcap-based filters to raw network sockets to create passive backdoors that activate only upon receipt of crafted "magic" packets. Unlike conventional backdoors that maintain open listening ports, socket filter implants remain completely dormant—consuming negligible CPU, maintaining no active connections, and appearing nowhere in netstat or ss output—until a specially crafted packet matching the filter criteria arrives on the monitored interface. Implementation uses either libpcap's pcap_setfilter() function or the POSIX setsockopt() system call with SO_ATTACH_FILTER (cBPF, optname 26) or SO_ATTACH_BPF (eBPF, optname 50). The technique requires CAP_NET_RAW or CAP_NET_ADMIN on Linux, or Administrator rights on Windows with WinPcap/Npcap installed. Confirmed real-world malware families include BPFDoor (attaches BPF filters monitoring ICMP, UDP, and TCP traffic on ports 22/80/443, triggered by a "magic" byte sequence in incoming packets to spawn a reverse shell), Penquin/Turla (installs TCP and UDP filters on the eth0 interface for C2 activation), CASTLETAP (listens for specialized ICMP packets on compromised Fortinet devices), and PITSTOP (evaluates commands on a domain socket at /data/runtime/cockpit/wd.fd using a predefined magic byte sequence). Detection is exceptionally difficult due to the passive nature of the implant: no open ports, minimal CPU overhead, and limited enterprise visibility into raw socket API usage.

Microsoft Sentinel / Defender

kusto

// T1205.002 — Socket Filters / BPF Passive Backdoor Detection
// REQUIREMENT: Linux auditd with syslog forwarding to Microsoft Sentinel.
// Deploy these auditd rules on monitored Linux hosts:
//   -a always,exit -F arch=b64 -S socket -k bpf_socket_filter
//   -a always,exit -F arch=b64 -S setsockopt -k bpf_socket_filter
//   -a always,exit -F arch=b64 -S execve -k bpf_socket_filter
// Signal 1 (highest fidelity) is specific to setsockopt SO_ATTACH_FILTER.
// Signal 3 requires MDE Linux agent and does not need auditd.
let LegitimateCaptureBinaries = dynamic([
    "/usr/sbin/tcpdump", "/usr/bin/tcpdump",
    "/usr/bin/tshark", "/usr/bin/dumpcap",
    "/usr/sbin/dhclient", "/sbin/dhclient", "/usr/bin/dhclient",
    "/usr/sbin/arping", "/usr/bin/ping", "/bin/ping",
    "/usr/bin/nmap", "/usr/sbin/nmap",
    "/usr/bin/hping3", "/usr/sbin/hping3",
    "/usr/bin/scapy"
]);
// Signal 1: BPF filter attachment via setsockopt(SOL_SOCKET, SO_ATTACH_FILTER, ...)
// x86-64 Linux: syscall=54 (setsockopt), a1=1 (SOL_SOCKET=1), a2=1a (SO_ATTACH_FILTER=26=0x1a)
// This is the exact syscall BPFDoor and libpcap use to install packet filters.
let BPFFilterAttach = Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage contains "type=SYSCALL"
    and SyslogMessage contains "syscall=54"
    and SyslogMessage contains "a1=1"
    and SyslogMessage contains "a2=1a"
| extend ProcessExe = extract(@"exe=\"([^\"]+)\"", 1, SyslogMessage)
| extend ProcessComm = extract(@"comm=\"([^\"]+)\"", 1, SyslogMessage)
| extend AuditUID = extract(@"\bauid=(\S+)", 1, SyslogMessage)
| extend HostPID = extract(@"\bpid=(\d+)", 1, SyslogMessage)
| extend HostPPID = extract(@"ppid=(\d+)", 1, SyslogMessage)
| where not(ProcessExe in~ (LegitimateCaptureBinaries))
| project TimeGenerated, HostName = Computer,
    ProcessExe, ProcessComm, AuditUID, HostPID, HostPPID,
    SignalType = "BPF_FILTER_SETSOCKOPT", ThreatLevel = "High";
// Signal 2: Raw packet socket creation by non-standard process
// AF_PACKET family = 17 = 0x11 (a0=11), or AF_INET+SOCK_RAW (a0=2 a1=3)
// x86-64 Linux: syscall=41 (socket())
let RawSocketCreate = Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage contains "type=SYSCALL"
    and SyslogMessage contains "syscall=41"
    and (
        SyslogMessage contains " a0=11 "   // AF_PACKET = 0x11
        or (SyslogMessage contains " a0=2 " and SyslogMessage contains " a1=3 ")  // AF_INET + SOCK_RAW
    )
| extend ProcessExe = extract(@"exe=\"([^\"]+)\"", 1, SyslogMessage)
| extend ProcessComm = extract(@"comm=\"([^\"]+)\"", 1, SyslogMessage)
| extend AuditUID = extract(@"\bauid=(\S+)", 1, SyslogMessage)
| extend HostPID = extract(@"\bpid=(\d+)", 1, SyslogMessage)
| extend HostPPID = extract(@"ppid=(\d+)", 1, SyslogMessage)
| where not(ProcessExe in~ (LegitimateCaptureBinaries))
| project TimeGenerated, HostName = Computer,
    ProcessExe, ProcessComm, AuditUID, HostPID, HostPPID,
    SignalType = "RAW_SOCKET_AF_PACKET", ThreatLevel = "Medium";
// Signal 3: MDE on Linux — process execution from world-writable staging paths
// BPFDoor copies itself to /tmp or /dev/shm before attaching filters and deleting original
let BPFDoorStagingExec = DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where OSPlatform has "Linux"
| where FolderPath startswith "/tmp/"
    or FolderPath startswith "/dev/shm/"
    or FolderPath startswith "/var/tmp/"
    or FolderPath startswith "/run/shm/"
    or FolderPath == "/var/run/initd.lock"
| where InitiatingProcessFileName !in~ (
    "bash", "sh", "zsh", "dash", "ksh",
    "apt", "apt-get", "dpkg", "yum", "dnf", "rpm",
    "pip", "pip3", "make", "gcc", "cc", "g++", "cargo", "go"
  )
| project TimeGenerated, HostName = DeviceName,
    ProcessExe = FolderPath, ProcessComm = FileName,
    AuditUID = AccountSid,
    HostPID = tostring(ProcessId), HostPPID = tostring(InitiatingProcessId),
    SignalType = "BPFDOOR_STAGING_PATH_EXEC", ThreatLevel = "High";
union BPFFilterAttach, RawSocketCreate, BPFDoorStagingExec
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Linux: Audit Daemon (auditd) via syslog forwarding to Sentinel Microsoft Defender for Endpoint — Linux agent Process: Process Creation Network: Network Connection Creation

Required Tables

Syslog DeviceProcessEvents

False Positives

Network performance monitoring agents (Datadog, New Relic, Dynatrace, Elastic Agent) that use libpcap for packet-level sampling on Linux servers — these internally call setsockopt(SO_ATTACH_FILTER) and will trigger Signal 1
Container networking plugins in Kubernetes environments (Cilium in eBPF mode, Calico eBPF, Weave Net) that attach BPF programs to network interfaces as part of normal CNI pod networking — generates high volumes of BPF-related syscalls
Active network security tools such as Zeek (Bro), Suricata, Snort, or Falco running in packet capture mode on network sensors — all use AF_PACKET raw sockets
System daemons that open raw sockets for legitimate protocol handling: dhclient (DHCP), radvd (IPv6 RA), and keepalived (VRRP) use AF_INET raw sockets
Developer environments where engineers interactively run Scapy, Python socket experiments, or custom pcap-based tooling from /tmp or home directories
Kubernetes kube-proxy in iptables or ipvs mode and various CNI implementations executing scripts from temporary directories during pod network setup

Splunk

spl

| comment "T1205.002 — Socket Filters / BPF Passive Backdoor Detection"
| comment "Requires: Splunk Add-on for Unix and Linux (TA-nix) or equivalent providing linux_audit sourcetype"
| comment "Deploy auditd rules: -a always,exit -F arch=b64 -S socket -S setsockopt -k bpf_socket_filter"
index=linux sourcetype=linux_audit type=SYSCALL
| eval is_bpf_attach=if(syscall="54" AND a1="1" AND a2="1a", 1, 0)
| eval is_raw_sock_packet=if(syscall="41" AND a0="11", 1, 0)
| eval is_raw_sock_inet=if(syscall="41" AND a0="2" AND a1="3", 1, 0)
| where is_bpf_attach=1 OR is_raw_sock_packet=1 OR is_raw_sock_inet=1
| eval SignalType=case(
    is_bpf_attach=1, "BPF_FILTER_SETSOCKOPT",
    is_raw_sock_packet=1, "RAW_SOCKET_AF_PACKET",
    is_raw_sock_inet=1, "RAW_SOCKET_INET_RAW",
    true(), "UNKNOWN"
  )
| eval ThreatLevel=if(is_bpf_attach=1, "High", "Medium")
| eval ProcessExe=exe
| where NOT ProcessExe IN (
    "/usr/sbin/tcpdump", "/usr/bin/tcpdump",
    "/usr/bin/tshark", "/usr/bin/dumpcap",
    "/usr/sbin/dhclient", "/sbin/dhclient", "/usr/bin/dhclient",
    "/usr/sbin/arping", "/usr/bin/ping", "/bin/ping",
    "/usr/bin/nmap", "/usr/sbin/nmap",
    "/usr/bin/hping3", "/usr/sbin/hping3"
  )
| eval ProcessComm=comm, AuditUID=auid, HostPID=pid, HostPPID=ppid
| table _time, host, ProcessExe, ProcessComm, AuditUID, HostPID, HostPPID,
    SignalType, ThreatLevel, syscall, a0, a1, a2
| sort - _time

high severity medium confidence

Data Sources

Linux: Audit Daemon (auditd) Splunk Add-on for Unix and Linux (TA-nix) Process: Process Creation Network: Socket Creation

Required Sourcetypes

linux_audit

False Positives

Network monitoring agents (Datadog, New Relic, Dynatrace) using libpcap internally — will trigger the BPF_FILTER_SETSOCKOPT signal and require allowlisting by exe path
Zeek, Suricata, Snort IDS/IPS sensors using AF_PACKET raw sockets for traffic capture — high volume on dedicated sensor hosts, allowlist by exe path
DHCP client daemons (dhclient, systemd-networkd, NetworkManager) opening raw sockets for DHCP packet handling — already allowlisted in the query
Kubernetes CNI plugins (Cilium eBPF, Weave Net) running as containers with host network access — may appear as unfamiliar exe paths requiring per-environment tuning
Developer workstations where Python Scapy scripts or custom pcap tools are run interactively from home directories or /tmp

Elastic Security (EQL)

eql

/* T1205.002 — Socket Filters / BPF Passive Backdoor Detection */
/* Requires: Elastic Agent 8.x with auditd integration on Linux hosts */
/* Deploy auditd rules on each host: */
/*   -a always,exit -F arch=b64 -S socket -k bpf_socket_filter */
/*   -a always,exit -F arch=b64 -S setsockopt -k bpf_socket_filter */

/* Signal 1: setsockopt(SOL_SOCKET=1, SO_ATTACH_FILTER=0x1a) — syscall 54 */
/* Signal 2a: socket(AF_PACKET=0x11, ...) — syscall 41, a0=11 */
/* Signal 2b: socket(AF_INET=2, SOCK_RAW=3) — syscall 41, a0=2, a1=3 */

any where event.module == "auditd"
  and event.action == "syscall"
  and (
    (
      auditd.data.syscall in ("54", "setsockopt")
      and auditd.data.a1 == "1"
      and auditd.data.a2 == "1a"
    )
    or
    (
      auditd.data.syscall in ("41", "socket")
      and auditd.data.a0 == "11"
    )
    or
    (
      auditd.data.syscall in ("41", "socket")
      and auditd.data.a0 == "2"
      and auditd.data.a1 == "3"
    )
  )
  and not process.executable in (
    "/usr/sbin/tcpdump", "/usr/bin/tcpdump",
    "/usr/bin/tshark", "/usr/bin/dumpcap",
    "/usr/sbin/dhclient", "/sbin/dhclient", "/usr/bin/dhclient",
    "/usr/sbin/arping", "/usr/bin/ping", "/bin/ping",
    "/usr/bin/nmap", "/usr/sbin/nmap",
    "/usr/bin/hping3", "/usr/sbin/hping3",
    "/usr/bin/scapy"
  )

/* --- Companion hunt rule: BPFDoor staging path execution via Elastic Agent process telemetry --- */
/* Uncomment and run separately — does not require auditd, uses Elastic Agent process events */
/*
process where host.os.type == "linux"
  and event.type == "start"
  and (
    process.executable like "/tmp/*"
    or process.executable like "/dev/shm/*"
    or process.executable like "/var/tmp/*"
    or process.executable like "/run/shm/*"
  )
  and not process.parent.executable in (
    "/bin/bash", "/usr/bin/bash", "/bin/sh", "/usr/bin/sh",
    "/usr/bin/apt", "/usr/bin/apt-get", "/usr/bin/dpkg",
    "/usr/bin/yum", "/usr/bin/dnf", "/usr/bin/rpm",
    "/usr/bin/pip", "/usr/bin/pip3",
    "/usr/bin/make", "/usr/bin/gcc", "/usr/bin/cc",
    "/usr/bin/cargo", "/usr/local/go/bin/go"
  )
*/

high severity high confidence

Data Sources

Elastic Agent 8.x with auditd integration (linux/audit module) Elastic Agent process telemetry (for companion staging path hunt)

Required Tables

logs-auditd_manager.auditd-* logs-endpoint.events.process-*

False Positives

Packet capture tools (tcpdump, tshark, dumpcap) installed in non-standard paths such as /opt/tools/bin/ or /usr/local/sbin/ will not match the allowlist and will alert — audit your environment for non-standard capture binary locations and extend the allowlist accordingly before deploying to production
Container networking CNI plugins (Calico, Cilium, Flannel, Weave) create AF_PACKET sockets during pod networking initialisation and overlay network setup on Kubernetes worker nodes; expect sustained Signal 2 alerts on k8s nodes and allowlist CNI plugin binaries after verification
Cloud provider host agents (AWS SSM Agent ssm-agent-worker, GCP guest-agent, Azure walinuxagent) occasionally create raw sockets for specific ICMP or ARP operations during health checks and metadata refresh cycles — correlate with known agent binary paths to filter
Network performance monitoring agents such as ntopng, pmacct, or NetFlow exporters use AF_PACKET sockets continuously to capture traffic for telemetry; these are likely present in network-heavy environments and should be allowlisted after inventory

IBM QRadar (AQL)

sql

/* T1205.002 — Socket Filters / BPF Passive Backdoor Detection */
/* Requires: Linux hosts with auditd configured and syslog-ng/rsyslog forwarding to QRadar */
/* auditd rules on each monitored host: */
/*   -a always,exit -F arch=b64 -S socket -S setsockopt -k bpf_socket_filter */

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid)                     AS "Log Source",
  sourceip                                        AS "Host IP",
  "username"                                      AS "Audit UID",
  "pid"                                           AS "PID",
  "ppid"                                          AS "PPID",
  "exe"                                           AS "Process Exe",
  "comm"                                          AS "Process Comm",
  "syscall"                                       AS "Syscall",
  "a0"                                            AS "Arg0",
  "a1"                                            AS "Arg1",
  "a2"                                            AS "Arg2",
  CASE
    WHEN "syscall" = '54' AND "a1" = '1' AND "a2" = '1a'
      THEN 'BPF_FILTER_SETSOCKOPT'
    WHEN "syscall" = '41' AND "a0" = '11'
      THEN 'RAW_SOCKET_AF_PACKET'
    WHEN "syscall" = '41' AND "a0" = '2' AND "a1" = '3'
      THEN 'RAW_SOCKET_INET_RAW'
    ELSE 'UNKNOWN'
  END AS "Signal Type",
  CASE
    WHEN "syscall" = '54' AND "a1" = '1' AND "a2" = '1a'
      THEN 'High'
    ELSE 'Medium'
  END AS "Threat Level"
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Linux%'
  AND "category" = 'SYSCALL'
  AND (
    /* Signal 1: setsockopt(SOL_SOCKET=1, SO_ATTACH_FILTER=26=0x1a) */
    ("syscall" = '54' AND "a1" = '1' AND "a2" = '1a')
    OR
    /* Signal 2a: socket(AF_PACKET=0x11, ...) */
    ("syscall" = '41' AND "a0" = '11')
    OR
    /* Signal 2b: socket(AF_INET=2, SOCK_RAW=3) */
    ("syscall" = '41' AND "a0" = '2' AND "a1" = '3')
  )
  AND "exe" NOT IN (
    '/usr/sbin/tcpdump', '/usr/bin/tcpdump',
    '/usr/bin/tshark',   '/usr/bin/dumpcap',
    '/usr/sbin/dhclient','/sbin/dhclient',  '/usr/bin/dhclient',
    '/usr/sbin/arping',  '/usr/bin/ping',   '/bin/ping',
    '/usr/bin/nmap',     '/usr/sbin/nmap',
    '/usr/bin/hping3',   '/usr/sbin/hping3'
  )
  AND devicetime > NOW() - 1 DAYS
ORDER BY devicetime DESC

high severity high confidence

Data Sources

Linux auditd via syslog forwarding to QRadar (rsyslog/syslog-ng) QRadar Log Source Type: Linux OS / SysLog

Required Tables

events

False Positives

Security monitoring tools such as Falco, Sysdig agent, and osquery use SO_ATTACH_BPF (optname 50, a2=0x32) rather than SO_ATTACH_FILTER (0x1a) for eBPF programs — they will not match Signal 1, but their socket() calls for AF_PACKET may trigger Signal 2; add their binary paths to the exclusion list after confirming deployment locations
Custom-compiled or non-standard-path packet capture tools used by network operations or security teams will bypass the allowlist because the exe field won't match the standard /usr/bin/ paths; conduct a one-time survey of raw socket users (sudo bpftool prog list; lsof | grep SOCK_RAW) and extend the allowlist
DHCP clients embedded in network management daemons (NetworkManager's built-in DHCP client vs external dhclient) and software-defined networking components (Open vSwitch vswitchd) create raw sockets that will generate Signal 2 alerts; these are high-volume and should be addressed in the exclusion list before enabling automated alerting

Sumo Logic CSE

sql

/* T1205.002 — Socket Filters / BPF Passive Backdoor Detection */
/* Requires: Sumo Logic Installed Collector on Linux hosts with auditd log source, */
/* OR Sumo Logic Cloud Syslog source receiving linux_audit events */
/* Auditd rules on each host: */
/*   -a always,exit -F arch=b64 -S socket -S setsockopt -k bpf_socket_filter */

(_sourceCategory=linux/audit OR _sourceCategory=linux_audit OR _sourceCategory=*auditd*)
type=SYSCALL
| where syscall IN ("54", "41")
| eval is_bpf_attach     = if(syscall == "54" AND a1 == "1" AND a2 == "1a", 1, 0)
| eval is_raw_pkt        = if(syscall == "41" AND a0 == "11", 1, 0)
| eval is_raw_inet       = if(syscall == "41" AND a0 == "2" AND a1 == "3", 1, 0)
| where is_bpf_attach == 1 OR is_raw_pkt == 1 OR is_raw_inet == 1
| eval SignalType = if(is_bpf_attach == 1, "BPF_FILTER_SETSOCKOPT",
                  if(is_raw_pkt    == 1, "RAW_SOCKET_AF_PACKET",
                  if(is_raw_inet   == 1, "RAW_SOCKET_INET_RAW", "UNKNOWN")))
| eval ThreatLevel = if(is_bpf_attach == 1, "High", "Medium")
| where !(exe IN (
    "/usr/sbin/tcpdump", "/usr/bin/tcpdump",
    "/usr/bin/tshark",   "/usr/bin/dumpcap",
    "/usr/sbin/dhclient","/sbin/dhclient",  "/usr/bin/dhclient",
    "/usr/sbin/arping",  "/usr/bin/ping",   "/bin/ping",
    "/usr/bin/nmap",     "/usr/sbin/nmap",
    "/usr/bin/hping3",   "/usr/sbin/hping3"
  ))
| fields _messageTime, _sourceHost, exe, comm, auid, pid, ppid,
         syscall, a0, a1, a2, SignalType, ThreatLevel
| sort by _messageTime desc

/* --- Companion hunt: BPFDoor staging path execution via Sumo Logic process events --- */
/* Run separately if you have Sumo Logic Installed Collector process audit data */
/*
(_sourceCategory=linux/audit OR _sourceCategory=*auditd*)
type=EXECVE
| parse field=exe "*" as ProcessPath
| where ProcessPath matches "/tmp/*"
   OR ProcessPath matches "/dev/shm/*"
   OR ProcessPath matches "/var/tmp/*"
   OR ProcessPath matches "/run/shm/*"
| where !(ProcessPath matches "*/bash"
     OR ProcessPath matches "*/sh"
     OR ProcessPath matches "*/python*"
     OR ProcessPath matches "*/perl")
| fields _messageTime, _sourceHost, ProcessPath, auid, pid, ppid
| sort by _messageTime desc
*/

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Linux auditd log source Sumo Logic Cloud Syslog receiving auditd output via syslog-ng/rsyslog

Required Tables

_sourceCategory=linux/audit _sourceCategory=linux_audit

False Positives

Packet capture tools installed in non-standard paths (/opt/, /usr/local/, home directories) will not be filtered by the IN() allowlist — run a baseline query removing the allowlist filter and evaluate exe field values in your environment before tuning
DHCP client software embedded within network management frameworks (NetworkManager internal DHCP, systemd-networkd) uses raw sockets during address acquisition; filter by process name comm field matching 'NetworkManager' or 'systemd-network' to reduce noise from these sources
Kubernetes networking components on worker nodes, particularly CNI plugins using eBPF (Cilium), attach BPF programs to network interfaces during pod lifecycle events and will generate Signal 1 alerts; correlate with kubelet process context and expected pod scheduling times to distinguish from malicious activity

Google Chronicle / SecOps

yaral

// T1205.002 — Socket Filters / BPF Passive Backdoor Detection
// Rule 1 of 2: Auditd SYSCALL signals — BPF filter attachment and raw socket creation
// Requires Chronicle ingestion of Linux auditd logs with LINUX_AUDIT log type parser

rule t1205_002_bpf_socket_filter_syscall {
  meta:
    author          = "df00tech"
    description     = "Detects setsockopt(SO_ATTACH_FILTER) and raw socket creation (AF_PACKET/SOCK_RAW) used by BPFDoor, Penquin/Turla, CASTLETAP, and PITSTOP passive backdoors (T1205.002)"
    mitre_tactic    = "Defense Evasion, Persistence, Command And Control"
    mitre_technique = "T1205.002"
    reference       = "https://attack.mitre.org/techniques/T1205/002/"
    severity        = "HIGH"
    priority        = "HIGH"
    version         = "1.1"
    created         = "2026-04-19"

  events:
    $e.metadata.log_type = "LINUX_AUDIT"
    $e.metadata.product_event_type = "SYSCALL"
    (
      // Signal 1: setsockopt(SOL_SOCKET=1, SO_ATTACH_FILTER=26=0x1a) — syscall 54
      // Direct BPF filter installation: highest fidelity, matches BPFDoor exactly
      (
        re.regex($e.target.process.command_line, `syscall=54`) and
        re.regex($e.target.process.command_line, `\ba1=1\b`) and
        re.regex($e.target.process.command_line, `\ba2=1a\b`)
      )
      or
      // Signal 2a: socket(AF_PACKET=0x11, ...) — syscall 41, a0=11
      // Raw packet socket creation: precursor step before BPF filter attachment
      (
        re.regex($e.target.process.command_line, `syscall=41`) and
        re.regex($e.target.process.command_line, `\ba0=11\b`)
      )
      or
      // Signal 2b: socket(AF_INET=2, SOCK_RAW=3) — syscall 41, a0=2, a1=3
      (
        re.regex($e.target.process.command_line, `syscall=41`) and
        re.regex($e.target.process.command_line, `\ba0=2\b`) and
        re.regex($e.target.process.command_line, `\ba1=3\b`)
      )
    )
    not $e.principal.process.file.full_path = "/usr/sbin/tcpdump"
    not $e.principal.process.file.full_path = "/usr/bin/tcpdump"
    not $e.principal.process.file.full_path = "/usr/bin/tshark"
    not $e.principal.process.file.full_path = "/usr/bin/dumpcap"
    not $e.principal.process.file.full_path = "/usr/sbin/dhclient"
    not $e.principal.process.file.full_path = "/sbin/dhclient"
    not $e.principal.process.file.full_path = "/usr/bin/dhclient"
    not $e.principal.process.file.full_path = "/usr/sbin/arping"
    not $e.principal.process.file.full_path = "/usr/bin/ping"
    not $e.principal.process.file.full_path = "/bin/ping"
    not $e.principal.process.file.full_path = "/usr/bin/nmap"
    not $e.principal.process.file.full_path = "/usr/sbin/nmap"
    not $e.principal.process.file.full_path = "/usr/bin/hping3"
    not $e.principal.process.file.full_path = "/usr/sbin/hping3"

  condition:
    $e
}

// Rule 2 of 2: BPFDoor staging path execution
// Detects execution of binaries from world-writable paths — BPFDoor copies
// itself to /tmp or /dev/shm before attaching filters and deleting the original
// Requires Chronicle PROCESS_LAUNCH event ingestion (Elastic/CrowdStrike/Sysmon Linux)

rule t1205_002_bpfdoor_staging_exec {
  meta:
    author          = "df00tech"
    description     = "Detects process execution from world-writable staging paths associated with BPFDoor self-copy persistence mechanism (T1205.002)"
    mitre_tactic    = "Defense Evasion, Persistence"
    mitre_technique = "T1205.002"
    reference       = "https://attack.mitre.org/techniques/T1205/002/"
    severity        = "HIGH"
    priority        = "HIGH"
    version         = "1.0"
    created         = "2026-04-19"

  events:
    $p.metadata.event_type = "PROCESS_LAUNCH"
    (
      $p.target.process.file.full_path = /^\/tmp\// or
      $p.target.process.file.full_path = /^\/dev\/shm\// or
      $p.target.process.file.full_path = /^\/var\/tmp\// or
      $p.target.process.file.full_path = /^\/run\/shm\//
    )
    // Exclude known-legitimate parent processes that routinely write to temp paths
    not re.regex($p.principal.process.file.full_path,
      `/(bash|dash|sh|zsh|ksh|apt|apt-get|dpkg|yum|dnf|rpm|pip3?|make|gcc|cc|g\+\+|cargo|go)$`)
    not re.regex($p.target.process.file.full_path, `\.py$`)
    not re.regex($p.target.process.file.full_path, `\.sh$`)

  condition:
    $p
}

high severity medium confidence

Data Sources

Google Chronicle SIEM with LINUX_AUDIT log type ingestion Chronicle UDM PROCESS_LAUNCH events (Elastic Agent, CrowdStrike Falcon, or Sysmon for Linux)

Required Tables

LINUX_AUDIT UDM log type PROCESS_LAUNCH UDM event type

False Positives

The command_line regex match in Rule 1 assumes the Chronicle LINUX_AUDIT parser preserves the raw auditd record format in the command_line field; if your parser extracts structured fields instead, this rule will not fire and must be rewritten using the appropriate extracted field paths — validate against a known auditd SYSCALL event in your Chronicle environment before deploying
Legitimate shell scripts or build systems that create and immediately execute helper binaries in /tmp/ (e.g., cmake test runners, language runtime temp files) will trigger Rule 2 — tune by adding the relevant parent process paths to the exclusion regex and monitoring for recurring false positive sources
Container image builds that execute post-install scripts from temporary TMPFS mounts will generate Rule 2 alerts on container build hosts — consider creating a separate Chronicle reference list of build host hostnames and excluding them from Rule 2 using a NOT condition against principal.hostname

CrowdStrike LogScale (CQL)

cql

// T1205.002 — Socket Filters / BPF Passive Backdoor Detection
// Signal 1: BPFDoor staging path execution (ProcessRollup2)
// BPFDoor copies itself to /tmp or /dev/shm, executes from that path, attaches BPF filter, then deletes the original
// This signal is available from standard Falcon sensor telemetry without additional auditd configuration

#event_simpleName = "ProcessRollup2"
| event_platform = "Lin"
| ImageFileName = /^(\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|\/run\/shm\/)/
// Exclude known-legitimate parent processes that routinely spawn from temp paths
| ParentBaseFileName != "bash"
| ParentBaseFileName != "sh"
| ParentBaseFileName != "zsh"
| ParentBaseFileName != "dash"
| ParentBaseFileName != "ksh"
| ParentBaseFileName != "apt"
| ParentBaseFileName != "apt-get"
| ParentBaseFileName != "dpkg"
| ParentBaseFileName != "yum"
| ParentBaseFileName != "dnf"
| ParentBaseFileName != "rpm"
| ParentBaseFileName != "pip"
| ParentBaseFileName != "pip3"
| ParentBaseFileName != "make"
| ParentBaseFileName != "gcc"
| ParentBaseFileName != "cc"
| ParentBaseFileName != "g++"
| ParentBaseFileName != "cargo"
| ParentBaseFileName != "go"
// Exclude script interpreters executing temp files (common in CI pipelines)
| not ImageFileName = /\.(py|sh|rb|pl|js)$/
| groupBy(
    [ComputerName, ImageFileName, CommandLine, ParentBaseFileName, UserName, ParentProcessId],
    function = count(aid, as=EventCount)
  )
| sort(EventCount, order=asc)

// =============================================================================
// Signal 2 (companion query — run separately):
// Processes with anomalous CAP_NET_RAW / CAP_NET_ADMIN usage — Falcon eBPF telemetry
// Requires Falcon sensor 7.x+ with enhanced Linux sensor capabilities enabled
// =============================================================================
//
// #event_simpleName = "ProcessRollup2"
// | event_platform = "Lin"
// | EffectiveCapabilities = /0x(2000|4000|[0-9a-f]*2[0-9a-f]{3})/
// | not ImageFileName = /\/(tcpdump|tshark|dumpcap|dhclient|ping|nmap|hping3|ss|ip|netstat)$/
// | groupBy([ComputerName, ImageFileName, UserName, EffectiveCapabilities], function=count(aid, as=EventCount))
// | sort(EventCount, order=desc)

// =============================================================================
// Signal 3 (companion query — run separately):
// Suspicious network socket activity: process bound to port 0 with no listening state
// (passive socket filters don't appear in ss/netstat but Falcon may capture socket metadata)
// =============================================================================
//
// #event_simpleName = "NetworkConnectIP4"
// | event_platform = "Lin"
// | LocalPort = "0"
// | not ImageFileName = /\/(tcpdump|tshark|dumpcap|dhclient|ping|nmap|hping3)$/
// | groupBy([ComputerName, ImageFileName, UserName, RemoteAddressIP4, RemotePort], function=count(aid, as=C))
// | sort(C, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor 6.x+ for Linux (ProcessRollup2 events) CrowdStrike Falcon Sensor 7.x+ for Linux (enhanced eBPF telemetry for capability/network companion queries)

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

Continuous integration and build systems (GitLab Runner, Jenkins agent, GitHub Actions self-hosted runner) routinely execute compiled test artifacts and post-build scripts from /tmp/ directories; filter by UserName matching known CI service account names (gitlab-runner, jenkins, github-actions) to suppress these at the query level
Software package post-install scripts executed by dpkg/apt/rpm extract and run helper binaries from /tmp/ during package installation; these are excluded via the ParentBaseFileName filter but novel package manager wrappers or custom automation tools may still trigger — correlate with package installation system logs to verify
Kubernetes init containers and sidecar injection mechanisms (Istio, Linkerd) may execute bootstrapping binaries from mounted tmpfs volumes that resolve to /tmp/ paths; add Kubernetes node hostnames or pod namespace context to an exception list if running Falcon on k8s worker nodes

Last updated: 2026-04-19 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1205.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Socket Filters

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections