| ID | Name |
|---|---|
| ATAGS-T1076.001 | Port Knocking |
| ATAGS-T1076.002 | Socket Filters |
Threat Actors may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, Threat Actors can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.