Network Activity Detected via cat
This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/04"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/09/04"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat
13is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel.
14This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools
15or files to another host in the network or exfiltrate data while attempting to evade detection in the process.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Network Activity Detected via cat"
22risk_score = 47
23rule_id = "afd04601-12fc-4149-9b78-9c3f8fe45d39"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
26type = "eql"
27query = '''
28sequence by host.id, process.entity_id with maxspan=1s
29 [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
30 process.name == "cat"]
31 [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and
32 process.name == "cat"]
33'''
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37
38[rule.threat.tactic]
39id = "TA0011"
40name = "Command and Control"
41reference = "https://attack.mitre.org/tactics/TA0011/"
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45
46[rule.threat.tactic]
47id = "TA0005"
48name = "Defense Evasion"
49reference = "https://attack.mitre.org/tactics/TA0005/"
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53
54[rule.threat.tactic]
55id = "TA0010"
56name = "Exfiltration"
57reference = "https://attack.mitre.org/tactics/TA0010/"
Related rules
- Deprecated - Potential DNS Tunneling via Iodine
- Potential Non-Standard Port SSH connection
- Potential Protocol Tunneling via EarthWorm
- Suspicious Network Activity to the Internet by Previously Unknown Executable
- Potential Linux Tunneling and/or Port Forwarding