Netcat The Powershell Version
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
Sigma rule (View on GitHub)
1title: Netcat The Powershell Version
2id: c5b20776-639a-49bf-94c7-84f912b91c15
3related:
4 - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
5 type: derived
6status: test
7description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
8references:
9 - https://nmap.org/ncat/
10 - https://github.com/besimorhino/powercat
11 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
12author: frack113
13date: 2021/07/21
14modified: 2023/10/27
15tags:
16 - attack.command_and_control
17 - attack.t1095
18logsource:
19 product: windows
20 category: ps_classic_start
21detection:
22 selection:
23 Data|contains:
24 - 'powercat '
25 - 'powercat.ps1'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
-
Ncat is a free, open-source Netcat replacement for Linux, Windows, OS X and more. TLS/SSL encryption, proxy support, IPv6, Lua scripting.
Read More -
netshell features all in version 2 powershell. Contribute to besimorhino/powercat development by creating an account on GitHub.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Renamed Visual Studio Code Tunnel Execution
- Renamed VsCode Code Tunnel Execution - File Indicator
- Visual Studio Code Tunnel Execution
- Visual Studio Code Tunnel Remote File Creation
- Visual Studio Code Tunnel Service Installation