Netcat The Powershell Version

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Sigma rule (View on GitHub)

 1title: Netcat The Powershell Version
 2id: c5b20776-639a-49bf-94c7-84f912b91c15
 3related:
 4    - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
 5      type: derived
 6status: test
 7description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
 8references:
 9    - https://nmap.org/ncat/
10    - https://github.com/besimorhino/powercat
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
12author: frack113
13date: 2021-07-21
14modified: 2023-10-27
15tags:
16    - attack.command-and-control
17    - attack.t1095
18logsource:
19    product: windows
20    category: ps_classic_start
21detection:
22    selection:
23        Data|contains:
24            - 'powercat '
25            - 'powercat.ps1'
26    condition: selection
27falsepositives:
28    - Unknown
29level: medium

References

Related rules

to-top