legitimate ncat use

t1095
windows
sigma

Techniques

t1095

Sample rules

PUA - Netcat Suspicious Execution

source: sigma
technicques:
- t1095

Description

Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Detection logic

condition: 1 of selection_*
selection_cmdline:
  CommandLine|contains:
  - ' -lvp '
  - ' -lvnp'
  - ' -l -v -p '
  - ' -lv -p '
  - ' -l --proxy-type http '
  - ' -vnl --exec '
  - ' -vnl -e '
  - ' --lua-exec '
  - ' --sh-exec '
selection_img:
  Image|endswith:
  - \nc.exe
  - \ncat.exe
  - \netcat.exe