Update execution_file_transfer_or_listener_established_via_netcat.toml

Aegrah · web-flow · commit bd1374958d28 · 2025-10-27T09:45:22.000+01:00
diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
@@ -124,20 +124,19 @@ tags = [
 ]
 type = "eql"
 query = '''
-sequence by process.entity_id with maxspan=1m
-  [process where host.os.type == "linux" and event.type == "start" and
-   process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and
-   (
-     /* bind shell to specific port or listener */
-     process.args:("-*l*","-*p*") or
-     /* reverse shell to command-line interpreter used for command execution */
-     (process.args:("-e") and process.args:("/bin/bash","/bin/sh")) or
-     /* file transfer via stdout */
-     process.args:(">","<") or
-     /* file transfer via pipe */
-     (process.args:("|") and process.args:("nc","ncat"))
-    ) and not process.command_line like~ ("*127.0.0.1*", "*localhost*")]
-  [network where host.os.type == "linux" and process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional")]
+process where host.os.type == "linux" and event.type == "start" and
+process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and
+(
+  /* bind shell to specific port or listener */
+  process.args:("-*l*","-*p*") or
+  /* reverse shell to command-line interpreter used for command execution */
+  (process.args:("-*e*")) or
+  /* file transfer via stdout */
+  process.args:(">","<") or
+  /* file transfer via pipe */
+  (process.args:"|")
+) and
+not process.command_line like~ ("*127.0.0.1*", "*localhost*")
 '''
 
 [[rule.threat]]
