Detect Socket Filters in Elastic Security
Adversaries may attach Berkeley Packet Filter (BPF) programs or libpcap-based filters to raw network sockets to create passive backdoors that activate only upon receipt of crafted "magic" packets. Unlike conventional backdoors that maintain open listening ports, socket filter implants remain completely dormant—consuming negligible CPU, maintaining no active connections, and appearing nowhere in netstat or ss output—until a specially crafted packet matching the filter criteria arrives on the monitored interface. Implementation uses either libpcap's pcap_setfilter() function or the POSIX setsockopt() system call with SO_ATTACH_FILTER (cBPF, optname 26) or SO_ATTACH_BPF (eBPF, optname 50). The technique requires CAP_NET_RAW or CAP_NET_ADMIN on Linux, or Administrator rights on Windows with WinPcap/Npcap installed. Confirmed real-world malware families include BPFDoor (attaches BPF filters monitoring ICMP, UDP, and TCP traffic on ports 22/80/443, triggered by a "magic" byte sequence in incoming packets to spawn a reverse shell), Penquin/Turla (installs TCP and UDP filters on the eth0 interface for C2 activation), CASTLETAP (listens for specialized ICMP packets on compromised Fortinet devices), and PITSTOP (evaluates commands on a domain socket at /data/runtime/cockpit/wd.fd using a predefined magic byte sequence). Detection is exceptionally difficult due to the passive nature of the implant: no open ports, minimal CPU overhead, and limited enterprise visibility into raw socket API usage.
MITRE ATT&CK
- Technique
- T1205 Traffic Signaling
- Sub-technique
- T1205.002 Socket Filters
- Canonical reference
- https://attack.mitre.org/techniques/T1205/002/
Elastic Detection Query
/* T1205.002 — Socket Filters / BPF Passive Backdoor Detection */
/* Requires: Elastic Agent 8.x with auditd integration on Linux hosts */
/* Deploy auditd rules on each host: */
/* -a always,exit -F arch=b64 -S socket -k bpf_socket_filter */
/* -a always,exit -F arch=b64 -S setsockopt -k bpf_socket_filter */
/* Signal 1: setsockopt(SOL_SOCKET=1, SO_ATTACH_FILTER=0x1a) — syscall 54 */
/* Signal 2a: socket(AF_PACKET=0x11, ...) — syscall 41, a0=11 */
/* Signal 2b: socket(AF_INET=2, SOCK_RAW=3) — syscall 41, a0=2, a1=3 */
any where event.module == "auditd"
and event.action == "syscall"
and (
(
auditd.data.syscall in ("54", "setsockopt")
and auditd.data.a1 == "1"
and auditd.data.a2 == "1a"
)
or
(
auditd.data.syscall in ("41", "socket")
and auditd.data.a0 == "11"
)
or
(
auditd.data.syscall in ("41", "socket")
and auditd.data.a0 == "2"
and auditd.data.a1 == "3"
)
)
and not process.executable in (
"/usr/sbin/tcpdump", "/usr/bin/tcpdump",
"/usr/bin/tshark", "/usr/bin/dumpcap",
"/usr/sbin/dhclient", "/sbin/dhclient", "/usr/bin/dhclient",
"/usr/sbin/arping", "/usr/bin/ping", "/bin/ping",
"/usr/bin/nmap", "/usr/sbin/nmap",
"/usr/bin/hping3", "/usr/sbin/hping3",
"/usr/bin/scapy"
)
/* --- Companion hunt rule: BPFDoor staging path execution via Elastic Agent process telemetry --- */
/* Uncomment and run separately — does not require auditd, uses Elastic Agent process events */
/*
process where host.os.type == "linux"
and event.type == "start"
and (
process.executable like "/tmp/*"
or process.executable like "/dev/shm/*"
or process.executable like "/var/tmp/*"
or process.executable like "/run/shm/*"
)
and not process.parent.executable in (
"/bin/bash", "/usr/bin/bash", "/bin/sh", "/usr/bin/sh",
"/usr/bin/apt", "/usr/bin/apt-get", "/usr/bin/dpkg",
"/usr/bin/yum", "/usr/bin/dnf", "/usr/bin/rpm",
"/usr/bin/pip", "/usr/bin/pip3",
"/usr/bin/make", "/usr/bin/gcc", "/usr/bin/cc",
"/usr/bin/cargo", "/usr/local/go/bin/go"
)
*/Detects BPF socket filter attachment via setsockopt(SOL_SOCKET, SO_ATTACH_FILTER) (syscall 54, a1=1, a2=0x1a) and raw socket creation via socket(AF_PACKET) or socket(AF_INET, SOCK_RAW) (syscall 41) by processes outside the known-good capture binary allowlist. These are the exact syscall signatures used by BPFDoor, Penquin/Turla, CASTLETAP, and PITSTOP to install passive packet-filter backdoors. Signal 1 is the highest fidelity as it directly identifies BPF filter installation. Companion hunt rule (commented) covers BPFDoor staging path execution using standard Elastic Agent process telemetry without requiring auditd.
Data Sources
Required Tables
False Positives & Tuning
- Packet capture tools (tcpdump, tshark, dumpcap) installed in non-standard paths such as /opt/tools/bin/ or /usr/local/sbin/ will not match the allowlist and will alert — audit your environment for non-standard capture binary locations and extend the allowlist accordingly before deploying to production
- Container networking CNI plugins (Calico, Cilium, Flannel, Weave) create AF_PACKET sockets during pod networking initialisation and overlay network setup on Kubernetes worker nodes; expect sustained Signal 2 alerts on k8s nodes and allowlist CNI plugin binaries after verification
- Cloud provider host agents (AWS SSM Agent ssm-agent-worker, GCP guest-agent, Azure walinuxagent) occasionally create raw sockets for specific ICMP or ARP operations during health checks and metadata refresh cycles — correlate with known agent binary paths to filter
- Network performance monitoring agents such as ntopng, pmacct, or NetFlow exporters use AF_PACKET sockets continuously to capture traffic for telemetry; these are likely present in network-heavy environments and should be allowlisted after inventory
Other platforms for T1205.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AF_PACKET Raw Socket Creation (BPFDoor Initial Socket Setup)
Expected signal: auditd SYSCALL record: type=SYSCALL arch=c000003e syscall=41 success=yes a0=11 a1=3 a2=3 comm="python3" exe="/usr/bin/python3" key="bpf_socket_filter". The a0=11 value (hex for AF_PACKET=17) is the primary indicator. MDE on Linux may generate a DeviceProcessEvents record for the python3 process with the command line containing the socket creation code.
- Test 2BPF Filter Attachment via setsockopt(SO_ATTACH_FILTER)
Expected signal: Two auditd SYSCALL records will be generated: (1) socket() — syscall=41, a0=11, a1=3 with key=bpf_socket_filter; (2) setsockopt() — syscall=54, a1=1 (SOL_SOCKET), a2=1a (SO_ATTACH_FILTER=26=0x1a) with success=yes. Both records will have comm="python3" and exe="/usr/bin/python3". This is the highest-fidelity test of the primary detection signal.
- Test 3BPFDoor Binary Staging from Temporary Directory
Expected signal: auditd SYSCALL record for execve (syscall=59) where exe=/dev/shm/.<random_name>. MDE Linux DeviceProcessEvents record with FolderPath='/dev/shm/' and FileName matching the random name. The random filename pattern (8 hex characters) mimics BPFDoor's naming convention. After deletion, a subsequent ls of /dev/shm would not show the file, but /proc/<pid>/exe would show '<path> (deleted)' if the process were still running.
- Test 4Magic Packet Trigger Simulation via ICMP with Specific Payload
Expected signal: auditd SYSCALL records for socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) and sendto(). Network-level: ICMP packet visible in /proc/net/icmp or packet captures. If a network sensor (Zeek, Suricata) is monitoring the interface, the unusual ICMP payload bytes (0xDEADBEEF pattern) will appear in ICMP logs. MDE Network Events may capture the raw socket creation for the sending process.
References (11)
- https://attack.mitre.org/techniques/T1205/002/
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/
- https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- https://www.deepinstinct.com/blog/bpfdoor-an-active-chinese-global-surveillance-tool
- https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
- https://blog.aquasec.com/ebpf-vulnerability-bpfdoor
- https://man7.org/linux/man-pages/man7/packet.7.html
- https://man7.org/linux/man-pages/man7/socket.7.html
- http://recursos.aldabaknocking.com/libpcapHakin9LuisMartinGarcia.pdf
Unlock Pro Content
Get the full detection package for T1205.002 including response playbook, investigation guide, and atomic red team tests.