Netcat The Powershell Version

Apr 27, 2026 · attack.command-and-control attack.execution attack.t1095 attack.t1059.001 ·

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Sigma rule (View on GitHub)

 1title: Netcat The Powershell Version
 2id: c5b20776-639a-49bf-94c7-84f912b91c15
 3related:
 4    - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
 5      type: derived
 6status: test
 7description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
 8references:
 9    - https://nmap.org/ncat/
10    - https://github.com/besimorhino/powercat
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
12author: frack113
13date: 2021-07-21
14modified: 2023-10-27
15tags:
16    - attack.command-and-control
17    - attack.execution
18    - attack.t1095
19    - attack.t1059.001
20logsource:
21    product: windows
22    category: ps_classic_start
23detection:
24    selection:
25        Data|contains:
26            - 'powercat '
27            - 'powercat.ps1'
28    condition: selection
29falsepositives:
30    - Unknown
31level: medium

Netcat The Powershell Version

Sigma rule (View on GitHub)

References

https://nmap.org/ncat/

https://github.com/besimorhino/powercat

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md

Related rules