forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlinux_netcat_network_connection.toml
44 lines (41 loc) · 1.65 KB
/
linux_netcat_network_connection.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/03/03"
[rule]
author = ["Elastic"]
description = """
A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by
exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data
exfiltration.
"""
false_positives = [
"""
Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux
distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may
originate from scripts, automation tools, and frameworks.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Netcat Network Activity"
references = [
"http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
"https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
"https://en.wikipedia.org/wiki/Netcat",
]
risk_score = 47
rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
type = "eql"
query = '''
sequence by process.entity_id
[process where (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or
process.name == "netcat.openbsd" or process.name == "netcat.traditional") and
event.type == "start"]
[network where (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or
process.name == "netcat.openbsd" or process.name == "netcat.traditional")]
'''