Socket Filters

Socket Filters [T1205.002]

Information

Name: Socket Filters
ID: T1205.002
Tactics: , ,
Technique:

Introduction

Socket Filters (T1205.002) is a sub-technique under the MITRE ATT&CK framework's Traffic Signaling (T1205) category. It involves adversaries leveraging socket filtering mechanisms, such as Berkeley Packet Filters (BPF), to intercept, inspect, or manipulate network traffic on compromised systems. This technique allows attackers to stealthily monitor communications, exfiltrate sensitive information, or maintain persistence without generating noticeable network anomalies or alerts.

Deep Dive Into Technique

Socket filters, particularly Berkeley Packet Filters (BPF), provide a powerful and flexible mechanism for filtering network traffic at the kernel level. Attackers exploit this functionality primarily in Unix/Linux-based operating systems. The following details explain the technical aspects of this technique:

Berkeley Packet Filters (BPF):
- BPF is a kernel-level packet filtering mechanism used to efficiently filter network packets based on predefined rules.
- It is commonly employed by legitimate tools such as tcpdump, Wireshark, and various network monitoring utilities.
- BPF programs are compiled into bytecode and executed directly within the kernel, providing high performance and minimal overhead.
Execution Methods and Mechanisms:
- Attackers may insert malicious BPF programs into the kernel using privileged access, typically requiring root-level permissions.
- Malicious socket filters can intercept network packets, extract sensitive data, or silently redirect traffic to attacker-controlled destinations.
- Attackers can use BPF programs to hide their network communications by selectively filtering or modifying packets, making detection more challenging.
Real-world Procedures:
- An attacker implants a custom BPF filter to silently capture credentials or sensitive communications transmitted over the network.
- BPF filters could be used to bypass host-based firewalls or Intrusion Detection Systems (IDS) by selectively dropping or altering packets to evade detection.
- Malicious kernel modules or rootkits may incorporate socket filters as part of their stealthy communication or persistence mechanisms.

When this Technique is Usually Used

Attackers typically deploy socket filters at various stages of an attack lifecycle, predominantly during post-compromise activities:

Initial Reconnaissance and Data Collection:
- Capturing credentials, sensitive data, or network communications to gather intelligence and facilitate lateral movement.
Persistence and Command-and-Control (C2):
- Establishing stealthy communication channels that blend with legitimate traffic patterns.
- Maintaining long-term access to a compromised system by evading traditional detection mechanisms.
Defense Evasion:
- Manipulating network packets to avoid triggering alerts from host-based or network-based security monitoring solutions.
- Concealing malicious network activities by selectively filtering or altering packets to evade detection and analysis.
Exfiltration:
- Secretly extracting sensitive data from compromised networks by embedding data within legitimate traffic flows or by redirecting packets to attacker-controlled infrastructure.

How this Technique is Usually Detected

Detection of malicious socket filters can be challenging due to their kernel-level operation and stealthy nature. However, several detection methods, tools, and indicators of compromise (IoCs) can help identify their presence:

Host-based Monitoring and Auditing:
- Regularly monitor kernel modules and loaded BPF programs using commands such as bpftool, bpftrace, or inspecting /proc/net/packet.
- Implement audit rules to log and monitor privileged commands (auditd) related to socket and BPF program installations.
Kernel Integrity Checks:
- Employ kernel integrity monitoring tools (e.g., Linux Kernel Runtime Guard (LKRG), OSSEC, Tripwire) to detect unauthorized kernel modifications or module insertions.
Network Behavior Analysis:
- Detect anomalies in network traffic patterns, such as unusual packet loss, delays, or unexpected packet modifications.
- Utilize network-based IDS/IPS systems (Snort, Suricata, Zeek) configured to detect abnormal packet structures or suspicious network behavior indicative of malicious socket filters.
Specific Indicators of Compromise (IoCs):
- Unexpected or unauthorized kernel modules or BPF programs loaded in the kernel.
- Presence of unknown or suspicious processes accessing raw sockets (AF_PACKET) or performing privileged networking operations.
- Unexplained network anomalies, such as dropped packets, altered packet headers, or unusual traffic redirection.

Why it is Important to Detect This Technique

Early detection of malicious socket filters is critical due to the significant risks and impact they pose to systems and networks:

Data Exfiltration and Espionage:
- Attackers can silently intercept and exfiltrate sensitive information, including credentials, intellectual property, and confidential communications.
Stealthy Persistence:
- Enables attackers to maintain persistent access and control over compromised systems without triggering network-based detection mechanisms.
Defense Evasion:
- Malicious socket filters can effectively bypass traditional host-based and network-based security controls, making detection and remediation significantly more difficult.
Impact on System Stability and Performance:
- Unauthorized kernel-level modifications can introduce instability, degrade performance, or cause unexpected system crashes and behavior.
Compliance and Regulatory Risks:
- Undetected malicious filters can lead to prolonged breaches, potentially resulting in regulatory violations, legal repercussions, and significant financial and reputational damage.

Examples

Below are real-world examples where attackers have leveraged socket filters (BPF) in attack scenarios:

Equation Group (NSA-linked threat actor):
- Utilized advanced Linux rootkits such as "BPFdoor," which leverages BPF filters to stealthily maintain persistent access and hide network communications.
- The rootkit intercepts and manipulates packets at the kernel level, making detection by traditional methods challenging.
BPFdoor Malware:
- A Linux-based backdoor malware that uses BPF filters to monitor incoming packets and open a stealthy backdoor communication channel.
- Operates silently by filtering packets based on specific magic bytes or packet structures, allowing attackers to bypass firewall rules and evade detection.
Pangu Lab's Discovery of "BPFDoor":
- Security researchers identified a sophisticated Linux backdoor leveraging BPF filters to evade detection and silently control compromised servers.
- The malware remained undetected for extended periods due to its kernel-level stealth and minimal footprint on the infected systems.
Advanced Persistent Threats (APTs):
- Several APT groups have been observed incorporating socket filtering techniques to conduct espionage, exfiltrate sensitive data, and maintain stealthy persistence within targeted networks.
- These attacks often involve customized kernel modules or rootkits that leverage BPF filters to manipulate and conceal network traffic.

These examples highlight the significant threat posed by socket filters (T1205.002), emphasizing the need for robust detection mechanisms, proactive monitoring, and comprehensive security practices to mitigate risks effectively.

Last updated 1 month ago

Introduction

Deep Dive Into Technique

Berkeley Packet Filters (BPF):

BPF is a kernel-level packet filtering mechanism used to efficiently filter network packets based on predefined rules.
It is commonly employed by legitimate tools such as tcpdump, Wireshark, and various network monitoring utilities.
BPF programs are compiled into bytecode and executed directly within the kernel, providing high performance and minimal overhead.

Execution Methods and Mechanisms:

Attackers may insert malicious BPF programs into the kernel using privileged access, typically requiring root-level permissions.
Malicious socket filters can intercept network packets, extract sensitive data, or silently redirect traffic to attacker-controlled destinations.
Attackers can use BPF programs to hide their network communications by selectively filtering or modifying packets, making detection more challenging.

Real-world Procedures:

An attacker implants a custom BPF filter to silently capture credentials or sensitive communications transmitted over the network.
BPF filters could be used to bypass host-based firewalls or Intrusion Detection Systems (IDS) by selectively dropping or altering packets to evade detection.
Malicious kernel modules or rootkits may incorporate socket filters as part of their stealthy communication or persistence mechanisms.

When this Technique is Usually Used

Attackers typically deploy socket filters at various stages of an attack lifecycle, predominantly during post-compromise activities:

Initial Reconnaissance and Data Collection:

Capturing credentials, sensitive data, or network communications to gather intelligence and facilitate lateral movement.

Persistence and Command-and-Control (C2):

Establishing stealthy communication channels that blend with legitimate traffic patterns.
Maintaining long-term access to a compromised system by evading traditional detection mechanisms.

Defense Evasion:

Manipulating network packets to avoid triggering alerts from host-based or network-based security monitoring solutions.
Concealing malicious network activities by selectively filtering or altering packets to evade detection and analysis.

Exfiltration:

Secretly extracting sensitive data from compromised networks by embedding data within legitimate traffic flows or by redirecting packets to attacker-controlled infrastructure.

How this Technique is Usually Detected

Host-based Monitoring and Auditing:

Regularly monitor kernel modules and loaded BPF programs using commands such as bpftool, bpftrace, or inspecting /proc/net/packet.
Implement audit rules to log and monitor privileged commands (auditd) related to socket and BPF program installations.

Kernel Integrity Checks:

Employ kernel integrity monitoring tools (e.g., Linux Kernel Runtime Guard (LKRG), OSSEC, Tripwire) to detect unauthorized kernel modifications or module insertions.

Network Behavior Analysis:

Detect anomalies in network traffic patterns, such as unusual packet loss, delays, or unexpected packet modifications.
Utilize network-based IDS/IPS systems (Snort, Suricata, Zeek) configured to detect abnormal packet structures or suspicious network behavior indicative of malicious socket filters.

Specific Indicators of Compromise (IoCs):

Unexpected or unauthorized kernel modules or BPF programs loaded in the kernel.
Presence of unknown or suspicious processes accessing raw sockets (AF_PACKET) or performing privileged networking operations.
Unexplained network anomalies, such as dropped packets, altered packet headers, or unusual traffic redirection.

Why it is Important to Detect This Technique

Early detection of malicious socket filters is critical due to the significant risks and impact they pose to systems and networks:

Data Exfiltration and Espionage:

Attackers can silently intercept and exfiltrate sensitive information, including credentials, intellectual property, and confidential communications.

Stealthy Persistence:

Enables attackers to maintain persistent access and control over compromised systems without triggering network-based detection mechanisms.

Defense Evasion:

Malicious socket filters can effectively bypass traditional host-based and network-based security controls, making detection and remediation significantly more difficult.

Impact on System Stability and Performance:

Unauthorized kernel-level modifications can introduce instability, degrade performance, or cause unexpected system crashes and behavior.

Compliance and Regulatory Risks:

Undetected malicious filters can lead to prolonged breaches, potentially resulting in regulatory violations, legal repercussions, and significant financial and reputational damage.

Examples

Below are real-world examples where attackers have leveraged socket filters (BPF) in attack scenarios:

Equation Group (NSA-linked threat actor):

Utilized advanced Linux rootkits such as "BPFdoor," which leverages BPF filters to stealthily maintain persistent access and hide network communications.
The rootkit intercepts and manipulates packets at the kernel level, making detection by traditional methods challenging.

BPFdoor Malware:

A Linux-based backdoor malware that uses BPF filters to monitor incoming packets and open a stealthy backdoor communication channel.
Operates silently by filtering packets based on specific magic bytes or packet structures, allowing attackers to bypass firewall rules and evade detection.

Pangu Lab's Discovery of "BPFDoor":

Security researchers identified a sophisticated Linux backdoor leveraging BPF filters to evade detection and silently control compromised servers.
The malware remained undetected for extended periods due to its kernel-level stealth and minimal footprint on the infected systems.

Advanced Persistent Threats (APTs):

Several APT groups have been observed incorporating socket filtering techniques to conduct espionage, exfiltrate sensitive data, and maintain stealthy persistence within targeted networks.
These attacks often involve customized kernel modules or rootkits that leverage BPF filters to manipulate and conceal network traffic.