Detectionhightest
PUA - Netcat Suspicious Execution
Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Florian Roth (Nextron Systems)Created Wed Jul 21Updated Wed Feb 08e31033fc-33f0-4020-9a16-faf9b31cbf08windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
# can not use OriginalFileName as is empty
Image|endswith:
- '\nc.exe'
- '\ncat.exe'
- '\netcat.exe'
selection_cmdline:
# Typical command lines
CommandLine|contains:
- ' -lvp '
- ' -lvnp'
- ' -l -v -p '
- ' -lv -p '
- ' -l --proxy-type http '
# - ' --exec cmd.exe ' # Not specific enough for netcat
- ' -vnl --exec '
- ' -vnl -e '
- ' --lua-exec '
- ' --sh-exec '
condition: 1 of selection_*False Positives
Legitimate ncat use
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
e31033fc-33f0-4020-9a16-faf9b31cbf08
Status
test
Level
high
Type
Detection
Created
Wed Jul 21
Modified
Wed Feb 08
Path
rules/windows/process_creation/proc_creation_win_pua_netcat.yml
Raw Tags
attack.command-and-controlattack.t1095