Netcat Listener Established Inside A Container
This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence or exfiltrating data.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/04/26"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and
11writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for
12persistence or exfiltrating data.
13"""
14false_positives = [
15 """
16 There is a potential for false positives if the container is used for legitimate tasks that require the use of
17 netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts
18 generated by this rule to determine if they are indicative of malicious activity or part of legitimate container
19 activity.
20 """,
21]
22from = "now-6m"
23index = ["logs-cloud_defend*"]
24interval = "5m"
25language = "eql"
26license = "Elastic License v2"
27name = "Netcat Listener Established Inside A Container"
28risk_score = 73
29rule_id = "a52a9439-d52c-401c-be37-2785235c6547"
30severity = "high"
31tags = [
32 "Data Source: Elastic Defend for Containers",
33 "Domain: Container",
34 "OS: Linux",
35 "Use Case: Threat Detection",
36 "Tactic: Execution",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where container.id: "*" and event.type== "start"
43and event.action in ("fork", "exec") and
44(
45process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or
46/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
47process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional")
48) and (
49 /* bind shell to echo for command execution */
50 (process.args:("-*l*", "--listen", "-*p*", "--source-port") and process.args:("-c", "--sh-exec", "-e", "--exec", "echo","$*"))
51 /* bind shell to specific port */
52 or process.args:("-*l*", "--listen", "-*p*", "--source-port")
53 )
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1059"
61name = "Command and Scripting Interpreter"
62reference = "https://attack.mitre.org/techniques/T1059/"
63[[rule.threat.technique.subtechnique]]
64id = "T1059.004"
65name = "Unix Shell"
66reference = "https://attack.mitre.org/techniques/T1059/004/"
67
68
69
70[rule.threat.tactic]
71id = "TA0002"
72name = "Execution"
73reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container
- Suspicious Interactive Shell Spawned From Inside A Container
- AWS Credentials Searched For Inside A Container