Network Activity Detected via cat

This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/09/04"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/09/04"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat 
13is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. 
14This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools
15or files to another host in the network or exfiltrate data while attempting to evade detection in the process.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Network Activity Detected via cat"
22risk_score = 47
23rule_id = "afd04601-12fc-4149-9b78-9c3f8fe45d39"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
26type = "eql"
27query = '''
28sequence by host.id, process.entity_id with maxspan=1s
29  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
30   process.name == "cat"]
31  [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and 
32   process.name == "cat"]
33'''
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37
38[rule.threat.tactic]
39id = "TA0011"
40name = "Command and Control"
41reference = "https://attack.mitre.org/tactics/TA0011/"
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45
46[rule.threat.tactic]
47id = "TA0005"
48name = "Defense Evasion"
49reference = "https://attack.mitre.org/tactics/TA0005/"
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53
54[rule.threat.tactic]
55id = "TA0010"
56name = "Exfiltration"
57reference = "https://attack.mitre.org/tactics/TA0010/"

Related rules

to-top