PUA - Netcat Suspicious Execution
Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
Sigma rule (View on GitHub)
1title: PUA - Netcat Suspicious Execution
2id: e31033fc-33f0-4020-9a16-faf9b31cbf08
3status: test
4description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
5references:
6 - https://nmap.org/ncat/
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
8 - https://www.revshells.com/
9author: frack113, Florian Roth (Nextron Systems)
10date: 2021-07-21
11modified: 2023-02-08
12tags:
13 - attack.command-and-control
14 - attack.t1095
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 # can not use OriginalFileName as is empty
21 Image|endswith:
22 - '\nc.exe'
23 - '\ncat.exe'
24 - '\netcat.exe'
25 selection_cmdline:
26 # Typical command lines
27 CommandLine|contains:
28 - ' -lvp '
29 - ' -lvnp'
30 - ' -l -v -p '
31 - ' -lv -p '
32 - ' -l --proxy-type http '
33 # - ' --exec cmd.exe ' # Not specific enough for netcat
34 - ' -vnl --exec '
35 - ' -vnl -e '
36 - ' --lua-exec '
37 - ' --sh-exec '
38 condition: 1 of selection_*
39falsepositives:
40 - Legitimate ncat use
41level: high
References
-
Ncat is a free, open-source Netcat replacement for Linux, Windows, OS X and more. TLS/SSL encryption, proxy support, IPv6, Lua scripting.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.
Read More
Related rules
- Netcat The Powershell Version
- Suspicious DNS Z Flag Bit Set
- ADSI-Cache File Creation By Uncommon Tool
- APT User Agent
- APT40 Dropbox Tool User Agent