Techniques
Sample rules
File Transfer or Listener Established via Netcat
- source: elastic
- technicques:
- T1059
Description
A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.
Detection logic
sequence by process.entity_id
[process where host.os.type == "linux" and event.type == "start" and
process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and (
/* bind shell to echo for command execution */
(process.args:("-l","-p") and process.args:("-c","echo","$*"))
/* bind shell to specific port */
or process.args:("-l","-p","-lp")
/* reverse shell to command-line interpreter used for command execution */
or (process.args:("-e") and process.args:("/bin/bash","/bin/sh"))
/* file transfer via stdout */
or process.args:(">","<")
/* file transfer via pipe */
or (process.args:("|") and process.args:("nc","ncat"))
)]
[network where host.os.type == "linux" and (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or
process.name == "netcat.openbsd" or process.name == "netcat.traditional")]
Netcat Listener Established via rlwrap
- source: elastic
- technicques:
- T1059
Description
Monitors for the execution of a netcat listener via rlwrap. rlwrap is a ‘readline wrapper’, a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and
process.args : "*l*" and process.args_count >= 4