Potential Netcat Reverse Shell Execution

 1title: Potential Netcat Reverse Shell Execution
 2id: 7f734ed0-4f47-46c0-837f-6ee62505abd9
 3status: test
 4description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
 5references:
 6    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
 7    - https://www.revshells.com/
 8    - https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
 9    - https://www.infosecademy.com/netcat-reverse-shells/
10    - https://man7.org/linux/man-pages/man1/ncat.1.html
11author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
12date: 2023-04-07
13tags:
14    - attack.execution
15    - attack.t1059
16logsource:
17    category: process_creation
18    product: linux
19detection:
20    selection_nc:
21        Image|endswith:
22            - '/nc'
23            - '/ncat'
24    selection_flags:
25        CommandLine|contains:
26            - ' -c '
27            - ' -e '
28    selection_shell:
29        CommandLine|contains:
30            - ' ash'
31            - ' bash'
32            - ' bsh'
33            - ' csh'
34            - ' ksh'
35            - ' pdksh'
36            - ' sh'
37            - ' tcsh'
38            - '/bin/ash'
39            - '/bin/bash'
40            - '/bin/bsh'
41            - '/bin/csh'
42            - '/bin/ksh'
43            - '/bin/pdksh'
44            - '/bin/sh'
45            - '/bin/tcsh'
46            - '/bin/zsh'
47            - '$IFSash'
48            - '$IFSbash'
49            - '$IFSbsh'
50            - '$IFScsh'
51            - '$IFSksh'
52            - '$IFSpdksh'
53            - '$IFSsh'
54            - '$IFStcsh'
55            - '$IFSzsh'
56    condition: all of selection_*
57falsepositives:
58    - Unlikely
59level: high

References

• Reverse Shell Cheat Sheet

  If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...

  
  Read More

• Online - Reverse Shell Generator

  

  Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.

  
  Read More

• Hacking with Netcat part 2: Bind and reverse shells - Hacking Tutorials

  

  In part 2 of hacking with Netcat we will be learning about bind shells and reverse shells on Windows and Linux using Netcat, Python, PHP, Perl and Bash.

  
  Read More

• Netcat Reverse Shells And How They Are Used By Pentesters

  

  Netcat reverse shells are the endgame for pentesters. This step-by-step guide shows you how to create your own reverse shell using Netcat.

  
  Read More

• ncat(1) - Linux manual page

  

  HTML rendering created 2024-06-26 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Host...

  
  Read More

Related rules

• Abusable DLL Potential Sideloading From Suspicious Location
• Add Insecure Download Source To Winget
• Add New Download Source To Winget
• Atlassian Confluence CVE-2022-26134
• Azure New CloudShell Created