[Rule Tuning] File Transfer or Listener Established via Netcat (#5223)

* [Rule Tuning] File Transfer or Listener Established via Netcat * Formatting * Update execution_file_transfer_or_listener_established_via_netcat.toml * Update execution_file_transfer_or_listener_established_via_netcat.toml * Add timestamp override to netcat execution rule --------- Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
2025-11-10 16:11:16 +01:00
parent 37e18af7a5
commit 57facddd32
1 changed files with 22 additions and 25 deletions
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/10/15"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ false_positives = [
 from = "now-9m"
 index = [
    "auditbeat-*",
-    "logs-endpoint.events.network*",
+    "endgame-*",
+    "logs-auditd_manager.auditd-*",
+    "logs-crowdstrike.fdr*",
    "logs-endpoint.events.process*",
    "logs-sentinel_one_cloud_funnel.*",
 ]
@@ -121,46 +123,41 @@ tags = [
    "Tactic: Execution",
    "Resources: Investigation Guide",
    "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
+    "Data Source: Auditd Manager",
+    "Data Source: Crowdstrike",
    "Data Source: SentinelOne",
 ]
+timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-sequence by process.entity_id
-  [process where host.os.type == "linux" and event.type == "start" and
-      process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and (
-          /* bind shell to echo for command execution */
-          (process.args:("-l","-p") and process.args:("-c","echo","$*"))
-          /* bind shell to specific port */
-          or process.args:("-l","-p","-lp")
-          /* reverse shell to command-line interpreter used for command execution */
-          or (process.args:("-e") and process.args:("/bin/bash","/bin/sh"))
-          /* file transfer via stdout */
-          or process.args:(">","<")
-          /* file transfer via pipe */
-          or (process.args:("|") and process.args:("nc","ncat"))
-      ) and
-      not process.command_line like~ ("*127.0.0.1*", "*localhost*")]
-  [network where host.os.type == "linux" and (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or
-                  process.name == "netcat.openbsd" or process.name == "netcat.traditional")]
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and
+process.args like~ (
+  /* bind shell to specific port or listener */
+  "-*l*","-*p*",
+  /* reverse shell to command-line interpreter used for command execution */
+  "-*e*",
+  /* file transfer via stdout/pipe */
+  ">","<", "|"
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"

-
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-