Communications over RAW socket

Hunt Hypothesis

Adversaries may use raw socket communications to establish covert channels and exfiltrate data undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities that evade traditional network monitoring.

YARA Rule

rule network_tcp_socket {
    meta:
        author = "x0r"
        description = "Communications over RAW socket"
	version = "0.1"
    strings:
	$f1 = "Ws2_32.dll" nocase
        $f2 = "wsock32.dll" nocase
        $c1 = "WSASocket"
        $c2 = "socket"
        $c3 = "send"
        $c4 = "WSASend"
        $c5 = "WSAConnect"
        $c6 = "connect"
        $c7 = "WSAStartup"
        $c8 = "closesocket"
        $c9 = "WSACleanup"
    condition:
        1 of ($f*) and 2 of ($c*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 11 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update using iproute2 tools
  Description: A system administrator uses ip or ss commands to configure network interfaces or inspect socket statistics, which may trigger raw socket activity.
  Filter/Exclusion: Exclude processes associated with iproute2 or ip command execution using process.name != "ip" or process.name != "ss".

• Scenario: Network diagnostic with tcpdump or Wireshark
  Description: Security analysts use tcpdump or Wireshark to capture and analyze raw socket traffic for troubleshooting or forensic analysis.
  Filter/Exclusion: Exclude processes running tcpdump or Wireshark using process.name != "tcpdump" and process.name != "wireshark".

• Scenario: Scheduled job for log rotation or backup
  Description: A scheduled job (e.g., via cron or systemd) may use raw sockets for network communication during log transfer or backup operations.
  Filter/Exclusion: Exclude processes with process.parent.name = "cron" or process.parent.name = "systemd" and filter by known backup tools like rsync or tar.

• Scenario: Admin task using netcat for remote management
  Description: An administrator uses netcat (nc) to remotely manage or test network connectivity, which may involve raw socket communication.
  Filter/Exclusion: Exclude processes with process.name = "nc" or process.name = "netcat".

• Scenario: Container runtime communication
  Description: Container runtimes like Docker or Kubernetes may use raw sockets for internal communication between containers or with the host.
  Filter/Exclusion: Exclude processes with container.id or process.parent.name = "docker" or