| ID | C0001 |
| Objective(s) | Communication |
| Related ATT&CK Techniques | None |
| Version | 3.0 |
| Created | 25 September 2020 |
| Last Modified | 13 September 2023 |
This micro-behavior focuses on socket (TCP, UDP) communication.
Instead of being listed alphabetically, methods have been grouped to better faciliate labeling and mapping.
| Name | ID | Description |
|---|---|---|
| Set Socket Config | C0001.001 | Configure socket. |
| Initialize Winsock Library | C0001.009 | Winsock is initialized for TCP communication. |
| Start TCP Server | C0001.005 | A TCP server listens for client requests. |
| Create Socket | C0001.003 | A server or client creates a UDP or TCP socket. |
| Create UDP Socket | C0001.010 | A UDP socket is created. |
| Create TCP Socket | C0001.011 | A TCP socket is created. |
| Connect Socket | C0001.004 | A server or client connects via a TCP socket. |
| Get Socket Status | C0001.012 | Get socket status. |
| Send Data | C0001.007 | Send data on socket. |
| Send TCP Data | C0001.014 | Send TCP data. |
| Send UDP Data | C0001.015 | Send UDP data. |
| Receive Data | C0001.006 | Receive data on socket. |
| Receive TCP Data | C0001.016 | Receive TCP data. |
| Receive UDP Data | C0001.017 | Receive UDP data. |
| TCP Server | C0001.002 | TCP server behavior. |
| TCP Client | C0001.008 | TCP client behavior. |
| UDP Client | C0001.013 | UDP client behavior. |
| Name | Date | Method | Description |
|---|---|---|---|
| SYNful Knock | 2015 | C0001.014 | SYNful Knock initiates communication with the C2 server via a uniquely crafted TCP SYN packet sent to port 80 of the "implanted" router. [1] |
| Hupigon | 2013 | C0001.010 | Hupigon creates a UDP socket. [2] |
| Rombertik | 2015 | C0001.011 | Rombertik creates a TCP socket. [2] |
| Shamoon | 2012 | C0001.009 | Shamoon initializes a Winsock library. [2] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| start TCP server | Socket Communication::Start TCP Server (C0001.005) | listen, accept, WSAAccept, System.Net.Sockets.TcpListener::Start, System.Net.Sockets.TcpListener::AcceptTcpClient, System.Net.Sockets.TcpListener::BeginAcceptTcpClient, System.Net.Sockets.TcpListener::AcceptTcpClientAsync, System.Net.Sockets.TcpListener::AcceptSocket, System.Net.Sockets.TcpListener::BeginAcceptSocket, System.Net.Sockets.TcpListener::AcceptSocketAsync |
| act as TCP client | Socket Communication::TCP Client (C0001.008) | System.Net.Sockets.TcpClient::ctor |
| get socket status | Socket Communication::Get Socket Status (C0001.012) | ws2_32.select |
| create raw socket | Socket Communication::Create Socket (C0001.003) | socket, ws2_32.WSASocketA |
| set socket configuration | Socket Communication::Set Socket Config (C0001.001) | ws2_32.setsockopt, ws2_32.ioctlsocket |
| create VMCI socket | Socket Communication::Create Socket (C0001.003) | socket, DeviceIoControl, socket, ioctl |
| initialize Winsock library | Socket Communication::Initialize Winsock Library (C0001.009) | ws2_32.WSAStartup |
| connect TCP socket | Socket Communication::Connect Socket (C0001.004) | connect, ws2_32.connect, ws2_32.WSAConnect, ConnectEx, WSAIoctl, setsockopt, bind |
| create TCP socket | Socket Communication::Create TCP Socket (C0001.011) | ws2_32.socket, ws2_32.WSASocket, socket |
| create TCP socket via raw AFD driver | Socket Communication::Create TCP Socket (C0001.011) | kernel32.CreateEvent, NtCreateFile, NtDeviceIoControlFile, kernel32.WaitForSingleObject |
| obtain TransmitPackets callback function via WSAIoctl | Socket Communication::Send TCP Data (C0001.014) | WSAIoctl, WSAGetLastError |
| send TCP data via WFP API | Socket Communication::Send TCP Data (C0001.014) | fwpkclnt.FwpsStreamInjectAsync0 |
| create UDP socket | Socket Communication::Create UDP Socket (C0001.010) | ws2_32.socket, ws2_32.WSASocket, socket, System.Net.Sockets.Socket::ctor, System.Net.Sockets.UdpClient::ctor |
| send data on socket | Socket Communication::Send Data (C0001.007) | ws2_32.send, ws2_32.sendto, ws2_32.WSASend, ws2_32.WSASendMsg, ws2_32.WSASendTo, send, System.Net.Sockets.Socket::Send, System.Net.Sockets.Socket::SendAsync, System.Net.Sockets.Socket::SendTo, System.Net.Sockets.Socket::SendToAsync, System.Net.Sockets.UdpClient::Send |
| receive data on socket | Socket Communication::Receive Data (C0001.006) | ws2_32.recv, ws2_32.recvfrom, ws2_32.WSARecv, ws2_32.WSARecvDisconnect, ws2_32.WSARecvEx, ws2_32.WSARecvFrom, ws2_32.WSARecvMsg, recv, System.Net.Sockets.Socket::Receive, System.Net.Sockets.Socket::ReceiveAsync, System.Net.Sockets.Socket::ReceiveFrom, System.Net.Sockets.Socket::ReceiveFromAsync, System.Net.Sockets.Socket::ReceiveMessageFrom, System.Net.Sockets.Socket::ReceiveMessageFromAsync, System.Net.Sockets.Socket::BeginReceive, System.Net.Sockets.Socket::BeginReceiveFrom, System.Net.Sockets.Socket::BeginReceiveMessageFrom, System.Net.Sockets.Socket::EndReceive, System.Net.Sockets.Socket::EndReceiveFrom, System.Net.Sockets.Socket::EndReceiveMessageFrom |
[1] https://www.mandiant.com/resources/synful-knock-acis
[2] capa v4.0, analyzed at MITRE on 10/12/2022