security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f02ffbbe13353c8653ae03867290a9d35a1f2730
sigma-rules/rules/linux/execution_linux_netcat_network_connection.toml
T
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
2022-08-24 10:38:49 -06:00

58 lines
2.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/08/24"
[rule]
author = ["Elastic"]
description = """
A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by
exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data
exfiltration.
"""
false_positives = [
"""
Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux
distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may
originate from scripts, automation tools, and frameworks.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Netcat Network Activity"
references = [
"http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
"https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
"https://en.wikipedia.org/wiki/Netcat",
]
risk_score = 47
rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
type = "eql"
query = '''
sequence by process.entity_id
[process where (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or
process.name == "netcat.openbsd" or process.name == "netcat.traditional") and
event.type == "start"]
[network where (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or
process.name == "netcat.openbsd" or process.name == "netcat.traditional")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink