Detect Socket Filters in IBM QRadar
Adversaries may attach Berkeley Packet Filter (BPF) programs or libpcap-based filters to raw network sockets to create passive backdoors that activate only upon receipt of crafted "magic" packets. Unlike conventional backdoors that maintain open listening ports, socket filter implants remain completely dormant—consuming negligible CPU, maintaining no active connections, and appearing nowhere in netstat or ss output—until a specially crafted packet matching the filter criteria arrives on the monitored interface. Implementation uses either libpcap's pcap_setfilter() function or the POSIX setsockopt() system call with SO_ATTACH_FILTER (cBPF, optname 26) or SO_ATTACH_BPF (eBPF, optname 50). The technique requires CAP_NET_RAW or CAP_NET_ADMIN on Linux, or Administrator rights on Windows with WinPcap/Npcap installed. Confirmed real-world malware families include BPFDoor (attaches BPF filters monitoring ICMP, UDP, and TCP traffic on ports 22/80/443, triggered by a "magic" byte sequence in incoming packets to spawn a reverse shell), Penquin/Turla (installs TCP and UDP filters on the eth0 interface for C2 activation), CASTLETAP (listens for specialized ICMP packets on compromised Fortinet devices), and PITSTOP (evaluates commands on a domain socket at /data/runtime/cockpit/wd.fd using a predefined magic byte sequence). Detection is exceptionally difficult due to the passive nature of the implant: no open ports, minimal CPU overhead, and limited enterprise visibility into raw socket API usage.
MITRE ATT&CK
- Technique
- T1205 Traffic Signaling
- Sub-technique
- T1205.002 Socket Filters
- Canonical reference
- https://attack.mitre.org/techniques/T1205/002/
QRadar Detection Query
/* T1205.002 — Socket Filters / BPF Passive Backdoor Detection */
/* Requires: Linux hosts with auditd configured and syslog-ng/rsyslog forwarding to QRadar */
/* auditd rules on each monitored host: */
/* -a always,exit -F arch=b64 -S socket -S setsockopt -k bpf_socket_filter */
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
LOGSOURCENAME(logsourceid) AS "Log Source",
sourceip AS "Host IP",
"username" AS "Audit UID",
"pid" AS "PID",
"ppid" AS "PPID",
"exe" AS "Process Exe",
"comm" AS "Process Comm",
"syscall" AS "Syscall",
"a0" AS "Arg0",
"a1" AS "Arg1",
"a2" AS "Arg2",
CASE
WHEN "syscall" = '54' AND "a1" = '1' AND "a2" = '1a'
THEN 'BPF_FILTER_SETSOCKOPT'
WHEN "syscall" = '41' AND "a0" = '11'
THEN 'RAW_SOCKET_AF_PACKET'
WHEN "syscall" = '41' AND "a0" = '2' AND "a1" = '3'
THEN 'RAW_SOCKET_INET_RAW'
ELSE 'UNKNOWN'
END AS "Signal Type",
CASE
WHEN "syscall" = '54' AND "a1" = '1' AND "a2" = '1a'
THEN 'High'
ELSE 'Medium'
END AS "Threat Level"
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) ILIKE '%Linux%'
AND "category" = 'SYSCALL'
AND (
/* Signal 1: setsockopt(SOL_SOCKET=1, SO_ATTACH_FILTER=26=0x1a) */
("syscall" = '54' AND "a1" = '1' AND "a2" = '1a')
OR
/* Signal 2a: socket(AF_PACKET=0x11, ...) */
("syscall" = '41' AND "a0" = '11')
OR
/* Signal 2b: socket(AF_INET=2, SOCK_RAW=3) */
("syscall" = '41' AND "a0" = '2' AND "a1" = '3')
)
AND "exe" NOT IN (
'/usr/sbin/tcpdump', '/usr/bin/tcpdump',
'/usr/bin/tshark', '/usr/bin/dumpcap',
'/usr/sbin/dhclient','/sbin/dhclient', '/usr/bin/dhclient',
'/usr/sbin/arping', '/usr/bin/ping', '/bin/ping',
'/usr/bin/nmap', '/usr/sbin/nmap',
'/usr/bin/hping3', '/usr/sbin/hping3'
)
AND devicetime > NOW() - 1 DAYS
ORDER BY devicetime DESCAQL query against the QRadar events store detecting BPF socket filter attachment (setsockopt syscall 54 with SOL_SOCKET and SO_ATTACH_FILTER arguments at 0x1a) and raw socket creation (socket syscall 41 with AF_PACKET=0x11 or AF_INET=2/SOCK_RAW=3) from processes not in the known-good capture binary allowlist. Targets Linux auditd SYSCALL events ingested via syslog forwarding. Signal 1 (setsockopt) maps directly to the BPFDoor and libpcap filter installation code path and is rated High severity. Signal 2 (raw socket) is rated Medium as raw sockets are required before a BPF filter can be attached.
Data Sources
Required Tables
False Positives & Tuning
- Security monitoring tools such as Falco, Sysdig agent, and osquery use SO_ATTACH_BPF (optname 50, a2=0x32) rather than SO_ATTACH_FILTER (0x1a) for eBPF programs — they will not match Signal 1, but their socket() calls for AF_PACKET may trigger Signal 2; add their binary paths to the exclusion list after confirming deployment locations
- Custom-compiled or non-standard-path packet capture tools used by network operations or security teams will bypass the allowlist because the exe field won't match the standard /usr/bin/ paths; conduct a one-time survey of raw socket users (sudo bpftool prog list; lsof | grep SOCK_RAW) and extend the allowlist
- DHCP clients embedded in network management daemons (NetworkManager's built-in DHCP client vs external dhclient) and software-defined networking components (Open vSwitch vswitchd) create raw sockets that will generate Signal 2 alerts; these are high-volume and should be addressed in the exclusion list before enabling automated alerting
Other platforms for T1205.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AF_PACKET Raw Socket Creation (BPFDoor Initial Socket Setup)
Expected signal: auditd SYSCALL record: type=SYSCALL arch=c000003e syscall=41 success=yes a0=11 a1=3 a2=3 comm="python3" exe="/usr/bin/python3" key="bpf_socket_filter". The a0=11 value (hex for AF_PACKET=17) is the primary indicator. MDE on Linux may generate a DeviceProcessEvents record for the python3 process with the command line containing the socket creation code.
- Test 2BPF Filter Attachment via setsockopt(SO_ATTACH_FILTER)
Expected signal: Two auditd SYSCALL records will be generated: (1) socket() — syscall=41, a0=11, a1=3 with key=bpf_socket_filter; (2) setsockopt() — syscall=54, a1=1 (SOL_SOCKET), a2=1a (SO_ATTACH_FILTER=26=0x1a) with success=yes. Both records will have comm="python3" and exe="/usr/bin/python3". This is the highest-fidelity test of the primary detection signal.
- Test 3BPFDoor Binary Staging from Temporary Directory
Expected signal: auditd SYSCALL record for execve (syscall=59) where exe=/dev/shm/.<random_name>. MDE Linux DeviceProcessEvents record with FolderPath='/dev/shm/' and FileName matching the random name. The random filename pattern (8 hex characters) mimics BPFDoor's naming convention. After deletion, a subsequent ls of /dev/shm would not show the file, but /proc/<pid>/exe would show '<path> (deleted)' if the process were still running.
- Test 4Magic Packet Trigger Simulation via ICMP with Specific Payload
Expected signal: auditd SYSCALL records for socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) and sendto(). Network-level: ICMP packet visible in /proc/net/icmp or packet captures. If a network sensor (Zeek, Suricata) is monitoring the interface, the unusual ICMP payload bytes (0xDEADBEEF pattern) will appear in ICMP logs. MDE Network Events may capture the raw socket creation for the sending process.
References (11)
- https://attack.mitre.org/techniques/T1205/002/
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/
- https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- https://www.deepinstinct.com/blog/bpfdoor-an-active-chinese-global-surveillance-tool
- https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
- https://blog.aquasec.com/ebpf-vulnerability-bpfdoor
- https://man7.org/linux/man-pages/man7/packet.7.html
- https://man7.org/linux/man-pages/man7/socket.7.html
- http://recursos.aldabaknocking.com/libpcapHakin9LuisMartinGarcia.pdf
Unlock Pro Content
Get the full detection package for T1205.002 including response playbook, investigation guide, and atomic red team tests.