Detectionmediumtest

Netcat The Powershell Version

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Wed Jul 21Updated Fri Oct 27c5b20776-639a-49bf-94c7-84f912b91c15windows

Log Source

WindowsPowerShell Classic

ProductWindows← raw: windows

CategoryPowerShell Classic← raw: ps_classic_start

Detection Logic

detection:
    selection:
        Data|contains:
            - 'powercat '
            - 'powercat.ps1'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Techniques

T1095 · Non-Application Layer Protocol

Related Rules

Derived

bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2

Rule not found

Rule Metadata

Rule ID

c5b20776-639a-49bf-94c7-84f912b91c15

Status

test

Level

medium

Type

Detection

Created

Wed Jul 21

Modified

Fri Oct 27

Author

François Hubaut

Path

rules/windows/powershell/powershell_classic/posh_pc_powercat.yml

Raw Tags

attack.command-and-controlattack.t1095

View on GitHub