[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"

[rule]
author = ["Elastic"]
description = """
A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by
exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data
exfiltration.
"""
false_positives = [
    """
    Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux
    distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may
    originate from scripts, automation tools, and frameworks.
    """,
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Netcat Network Activity"
references = [
    "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
    "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
    "https://en.wikipedia.org/wiki/Netcat",
]
risk_score = 47
rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f"
severity = "medium"
tags = ["Elastic", "Linux"]
type = "query"

query = '''
event.category:network and event.type:(access or connection or start) and
  process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional)
'''