PUA - Netcat Suspicious Execution

Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Sigma rule (View on GitHub)

 1title: PUA - Netcat Suspicious Execution
 2id: e31033fc-33f0-4020-9a16-faf9b31cbf08
 3status: test
 4description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
 5references:
 6    - https://nmap.org/ncat/
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
 8    - https://www.revshells.com/
 9author: frack113, Florian Roth (Nextron Systems)
10date: 2021/07/21
11modified: 2023/02/08
12tags:
13    - attack.command_and_control
14    - attack.t1095
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        # can not use OriginalFileName as is empty
21        Image|endswith:
22            - '\nc.exe'
23            - '\ncat.exe'
24            - '\netcat.exe'
25    selection_cmdline:
26        # Typical command lines
27        CommandLine|contains:
28            - ' -lvp '
29            - ' -lvnp'
30            - ' -l -v -p '
31            - ' -lv -p '
32            - ' -l --proxy-type http '
33            # - ' --exec cmd.exe ' # Not specific enough for netcat
34            - ' -vnl --exec '
35            - ' -vnl -e '
36            - ' --lua-exec '
37            - ' --sh-exec '
38    condition: 1 of selection_*
39falsepositives:
40    - Legitimate ncat use
41level: high

References

Related rules

to-top