title: Socket Filters (T1205.002) id: df00tech-t1205-002 status: experimental description: "Adversaries may attach Berkeley Packet Filter (BPF) programs or libpcap-based filters to raw network sockets to create passive backdoors that activate only upon receipt of crafted \"magic\" packets. Unlike conventional backdoors that maintain open listening ports, socket filter implants remain completely dormant—consuming negligible CPU, maintaining no active connections, and appearing nowhere in netstat or ss output—until a specially crafted packet matching the filter criteria arrives on the monitored interface. Implementation uses either libpcap's pcap_setfilter() function or the POSIX setsockopt() system call with SO_ATTACH_FILTER (cBPF, optname 26) or SO_ATTACH_BPF (eBPF, optname 50). The technique requires CAP_NET_RAW or CAP_NET_ADMIN on Linux, or Administrator rights on Windows with WinPcap/Npcap installed. Confirmed real-world malware families include BPFDoor (attaches BPF filters monitoring ICMP, UDP, and TCP traffic on ports 22/80/443, triggered by a \"magic\" byte sequence in incoming packets to spawn a reverse shell), Penquin/Turla (installs TCP and UDP filters on the eth0 interface for C2 activation), CASTLETAP (listens for specialized ICMP packets on compromised Fortinet devices), and PITSTOP (evaluates commands on a domain socket at /data/runtime/cockpit/wd.fd using a predefined magic byte sequence). Detection is exceptionally difficult due to the passive nature of the implant: no open ports, minimal CPU overhead, and limited enterprise visibility into raw socket API usage." references: - https://attack.mitre.org/techniques/T1205/002/ - https://df00tech.com/detections/T1205.002 author: df00tech date: 2026/04/19 tags: - attack.t1205.002 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: process_creation product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Network performance monitoring agents (Datadog, New Relic, Dynatrace, Elastic Agent) that use libpcap for packet-level sampling on Linux servers — these internally call setsockopt(SO_ATTACH_FILTER) and will trigger Signal 1" - "Container networking plugins in Kubernetes environments (Cilium in eBPF mode, Calico eBPF, Weave Net) that attach BPF programs to network interfaces as part of normal CNI pod networking — generates high volumes of BPF-related syscalls" - "Active network security tools such as Zeek (Bro), Suricata, Snort, or Falco running in packet capture mode on network sensors — all use AF_PACKET raw sockets" - "System daemons that open raw sockets for legitimate protocol handling: dhclient (DHCP), radvd (IPv6 RA), and keepalived (VRRP) use AF_INET raw sockets" - "Developer environments where engineers interactively run Scapy, Python socket experiments, or custom pcap-based tooling from /tmp or home directories" - Kubernetes kube-proxy in iptables or ipvs mode and various CNI implementations executing scripts from temporary directories during pod network setup level: high