forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlinux_netcat_network_connection.toml
More file actions
39 lines (36 loc) · 1.32 KB
/
linux_netcat_network_connection.toml
File metadata and controls
39 lines (36 loc) · 1.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by
exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data
exfiltration.
"""
false_positives = [
"""
Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux
distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may
originate from scripts, automation tools, and frameworks.
""",
]
index = ["auditbeat-*"]
language = "kuery"
license = "Elastic License"
name = "Netcat Network Activity"
references = [
"http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
"https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
"https://en.wikipedia.org/wiki/Netcat",
]
risk_score = 47
rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f"
severity = "medium"
tags = ["Elastic", "Linux"]
type = "query"
query = '''
process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action:(bound-socket or connected-to or socket_opened)
'''