T1205.002 Google Chronicle · YARA-L

Detect Socket Filters in Google Chronicle

Adversaries may attach Berkeley Packet Filter (BPF) programs or libpcap-based filters to raw network sockets to create passive backdoors that activate only upon receipt of crafted "magic" packets. Unlike conventional backdoors that maintain open listening ports, socket filter implants remain completely dormant—consuming negligible CPU, maintaining no active connections, and appearing nowhere in netstat or ss output—until a specially crafted packet matching the filter criteria arrives on the monitored interface. Implementation uses either libpcap's pcap_setfilter() function or the POSIX setsockopt() system call with SO_ATTACH_FILTER (cBPF, optname 26) or SO_ATTACH_BPF (eBPF, optname 50). The technique requires CAP_NET_RAW or CAP_NET_ADMIN on Linux, or Administrator rights on Windows with WinPcap/Npcap installed. Confirmed real-world malware families include BPFDoor (attaches BPF filters monitoring ICMP, UDP, and TCP traffic on ports 22/80/443, triggered by a "magic" byte sequence in incoming packets to spawn a reverse shell), Penquin/Turla (installs TCP and UDP filters on the eth0 interface for C2 activation), CASTLETAP (listens for specialized ICMP packets on compromised Fortinet devices), and PITSTOP (evaluates commands on a domain socket at /data/runtime/cockpit/wd.fd using a predefined magic byte sequence). Detection is exceptionally difficult due to the passive nature of the implant: no open ports, minimal CPU overhead, and limited enterprise visibility into raw socket API usage.

MITRE ATT&CK

Tactic
Defense Evasion Persistence Command and Control
Technique
T1205 Traffic Signaling
Sub-technique
T1205.002 Socket Filters
Canonical reference
https://attack.mitre.org/techniques/T1205/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
// T1205.002 — Socket Filters / BPF Passive Backdoor Detection
// Rule 1 of 2: Auditd SYSCALL signals — BPF filter attachment and raw socket creation
// Requires Chronicle ingestion of Linux auditd logs with LINUX_AUDIT log type parser

rule t1205_002_bpf_socket_filter_syscall {
  meta:
    author          = "df00tech"
    description     = "Detects setsockopt(SO_ATTACH_FILTER) and raw socket creation (AF_PACKET/SOCK_RAW) used by BPFDoor, Penquin/Turla, CASTLETAP, and PITSTOP passive backdoors (T1205.002)"
    mitre_tactic    = "Defense Evasion, Persistence, Command And Control"
    mitre_technique = "T1205.002"
    reference       = "https://attack.mitre.org/techniques/T1205/002/"
    severity        = "HIGH"
    priority        = "HIGH"
    version         = "1.1"
    created         = "2026-04-19"

  events:
    $e.metadata.log_type = "LINUX_AUDIT"
    $e.metadata.product_event_type = "SYSCALL"
    (
      // Signal 1: setsockopt(SOL_SOCKET=1, SO_ATTACH_FILTER=26=0x1a) — syscall 54
      // Direct BPF filter installation: highest fidelity, matches BPFDoor exactly
      (
        re.regex($e.target.process.command_line, `syscall=54`) and
        re.regex($e.target.process.command_line, `\ba1=1\b`) and
        re.regex($e.target.process.command_line, `\ba2=1a\b`)
      )
      or
      // Signal 2a: socket(AF_PACKET=0x11, ...) — syscall 41, a0=11
      // Raw packet socket creation: precursor step before BPF filter attachment
      (
        re.regex($e.target.process.command_line, `syscall=41`) and
        re.regex($e.target.process.command_line, `\ba0=11\b`)
      )
      or
      // Signal 2b: socket(AF_INET=2, SOCK_RAW=3) — syscall 41, a0=2, a1=3
      (
        re.regex($e.target.process.command_line, `syscall=41`) and
        re.regex($e.target.process.command_line, `\ba0=2\b`) and
        re.regex($e.target.process.command_line, `\ba1=3\b`)
      )
    )
    not $e.principal.process.file.full_path = "/usr/sbin/tcpdump"
    not $e.principal.process.file.full_path = "/usr/bin/tcpdump"
    not $e.principal.process.file.full_path = "/usr/bin/tshark"
    not $e.principal.process.file.full_path = "/usr/bin/dumpcap"
    not $e.principal.process.file.full_path = "/usr/sbin/dhclient"
    not $e.principal.process.file.full_path = "/sbin/dhclient"
    not $e.principal.process.file.full_path = "/usr/bin/dhclient"
    not $e.principal.process.file.full_path = "/usr/sbin/arping"
    not $e.principal.process.file.full_path = "/usr/bin/ping"
    not $e.principal.process.file.full_path = "/bin/ping"
    not $e.principal.process.file.full_path = "/usr/bin/nmap"
    not $e.principal.process.file.full_path = "/usr/sbin/nmap"
    not $e.principal.process.file.full_path = "/usr/bin/hping3"
    not $e.principal.process.file.full_path = "/usr/sbin/hping3"

  condition:
    $e
}

// Rule 2 of 2: BPFDoor staging path execution
// Detects execution of binaries from world-writable paths — BPFDoor copies
// itself to /tmp or /dev/shm before attaching filters and deleting the original
// Requires Chronicle PROCESS_LAUNCH event ingestion (Elastic/CrowdStrike/Sysmon Linux)

rule t1205_002_bpfdoor_staging_exec {
  meta:
    author          = "df00tech"
    description     = "Detects process execution from world-writable staging paths associated with BPFDoor self-copy persistence mechanism (T1205.002)"
    mitre_tactic    = "Defense Evasion, Persistence"
    mitre_technique = "T1205.002"
    reference       = "https://attack.mitre.org/techniques/T1205/002/"
    severity        = "HIGH"
    priority        = "HIGH"
    version         = "1.0"
    created         = "2026-04-19"

  events:
    $p.metadata.event_type = "PROCESS_LAUNCH"
    (
      $p.target.process.file.full_path = /^\/tmp\// or
      $p.target.process.file.full_path = /^\/dev\/shm\// or
      $p.target.process.file.full_path = /^\/var\/tmp\// or
      $p.target.process.file.full_path = /^\/run\/shm\//
    )
    // Exclude known-legitimate parent processes that routinely write to temp paths
    not re.regex($p.principal.process.file.full_path,
      `/(bash|dash|sh|zsh|ksh|apt|apt-get|dpkg|yum|dnf|rpm|pip3?|make|gcc|cc|g\+\+|cargo|go)$`)
    not re.regex($p.target.process.file.full_path, `\.py$`)
    not re.regex($p.target.process.file.full_path, `\.sh$`)

  condition:
    $p
}
high severity medium confidence

Two Chronicle YARA-L 2.0 rules detecting T1205.002 socket filter implants. Rule 1 targets Linux auditd SYSCALL events for setsockopt(SO_ATTACH_FILTER) and socket(AF_PACKET/SOCK_RAW) calls by processes outside the known-good allowlist — this covers the exact syscall signatures of BPFDoor, Penquin/Turla, CASTLETAP, and PITSTOP. Rule 2 targets the BPFDoor staging path execution pattern where the implant copies itself to /tmp or /dev/shm before attaching BPF filters. Note: Rule 1 uses command_line regex matching on raw SYSCALL audit records; adjust to your Chronicle LINUX_AUDIT parser's specific field mappings if your parser extracts syscall/a0/a1/a2 as discrete UDM fields.

Data Sources

Google Chronicle SIEM with LINUX_AUDIT log type ingestionChronicle UDM PROCESS_LAUNCH events (Elastic Agent, CrowdStrike Falcon, or Sysmon for Linux)

Required Tables

LINUX_AUDIT UDM log typePROCESS_LAUNCH UDM event type

False Positives & Tuning

  • The command_line regex match in Rule 1 assumes the Chronicle LINUX_AUDIT parser preserves the raw auditd record format in the command_line field; if your parser extracts structured fields instead, this rule will not fire and must be rewritten using the appropriate extracted field paths — validate against a known auditd SYSCALL event in your Chronicle environment before deploying
  • Legitimate shell scripts or build systems that create and immediately execute helper binaries in /tmp/ (e.g., cmake test runners, language runtime temp files) will trigger Rule 2 — tune by adding the relevant parent process paths to the exclusion regex and monitoring for recurring false positive sources
  • Container image builds that execute post-install scripts from temporary TMPFS mounts will generate Rule 2 alerts on container build hosts — consider creating a separate Chronicle reference list of build host hostnames and excluding them from Rule 2 using a NOT condition against principal.hostname
Download portable Sigma rule (.yml)

Other platforms for T1205.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AF_PACKET Raw Socket Creation (BPFDoor Initial Socket Setup)

    Expected signal: auditd SYSCALL record: type=SYSCALL arch=c000003e syscall=41 success=yes a0=11 a1=3 a2=3 comm="python3" exe="/usr/bin/python3" key="bpf_socket_filter". The a0=11 value (hex for AF_PACKET=17) is the primary indicator. MDE on Linux may generate a DeviceProcessEvents record for the python3 process with the command line containing the socket creation code.

  2. Test 2BPF Filter Attachment via setsockopt(SO_ATTACH_FILTER)

    Expected signal: Two auditd SYSCALL records will be generated: (1) socket() — syscall=41, a0=11, a1=3 with key=bpf_socket_filter; (2) setsockopt() — syscall=54, a1=1 (SOL_SOCKET), a2=1a (SO_ATTACH_FILTER=26=0x1a) with success=yes. Both records will have comm="python3" and exe="/usr/bin/python3". This is the highest-fidelity test of the primary detection signal.

  3. Test 3BPFDoor Binary Staging from Temporary Directory

    Expected signal: auditd SYSCALL record for execve (syscall=59) where exe=/dev/shm/.<random_name>. MDE Linux DeviceProcessEvents record with FolderPath='/dev/shm/' and FileName matching the random name. The random filename pattern (8 hex characters) mimics BPFDoor's naming convention. After deletion, a subsequent ls of /dev/shm would not show the file, but /proc/<pid>/exe would show '<path> (deleted)' if the process were still running.

  4. Test 4Magic Packet Trigger Simulation via ICMP with Specific Payload

    Expected signal: auditd SYSCALL records for socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) and sendto(). Network-level: ICMP packet visible in /proc/net/icmp or packet captures. If a network sensor (Zeek, Suricata) is monitoring the interface, the unusual ICMP payload bytes (0xDEADBEEF pattern) will appear in ICMP logs. MDE Network Events may capture the raw socket creation for the sending process.

Last updated: 2026-04-19 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1205.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1205Traffic Signaling

Related Sub-techniques

T1205.001Port Knocking

Related Techniques

T1205Traffic SignalingT1205.001Port KnockingT1572Protocol TunnelingT1014RootkitT1036.005Match Legitimate Resource Name or LocationT1070.004File DeletionT1059.004Unix ShellT1071.001Web ProtocolsT1543.002Systemd Service

Same Tactic: Defense Evasion

Popular Detections