Skip to content

[Rule Tuning] File Transfer or Listener Established via Netcat #5223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Rule Tuning] File Transfer or Listener Established via Netcat #5223

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5422265
[Rule Tuning] File Transfer or Listener Established via Netcat
Aegrah Oct 15, 2025
1a65763
Formatting
Aegrah Oct 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 16 additions & 23 deletions rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/10/15"

[rule]
author = ["Elastic"]
Expand All @@ -20,7 +20,6 @@ false_positives = [
]
from = "now-9m"
index = [
"auditbeat-*",
"logs-endpoint.events.network*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
Expand Down Expand Up @@ -124,43 +123,37 @@ tags = [
"Data Source: SentinelOne",
]
type = "eql"

query = '''
sequence by process.entity_id
sequence by process.entity_id with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and
process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and (
/* bind shell to echo for command execution */
(process.args:("-l","-p") and process.args:("-c","echo","$*"))
/* bind shell to specific port */
or process.args:("-l","-p","-lp")
/* reverse shell to command-line interpreter used for command execution */
or (process.args:("-e") and process.args:("/bin/bash","/bin/sh"))
/* file transfer via stdout */
or process.args:(">","<")
/* file transfer via pipe */
or (process.args:("|") and process.args:("nc","ncat"))
) and
not process.command_line like~ ("*127.0.0.1*", "*localhost*")]
[network where host.os.type == "linux" and (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or
process.name == "netcat.openbsd" or process.name == "netcat.traditional")]
process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and
(
/* bind shell to specific port or listener */
process.args:("-*l*","-*p*") or
/* reverse shell to command-line interpreter used for command execution */
(process.args:("-e") and process.args:("/bin/bash","/bin/sh")) or
/* file transfer via stdout */
process.args:(">","<") or
/* file transfer via pipe */
(process.args:("|") and process.args:("nc","ncat"))
) and not process.command_line like~ ("*127.0.0.1*", "*localhost*")]
[network where host.os.type == "linux" and process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional")]
Copy link
Contributor

@Samirbous Samirbous Oct 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is the network event is really necessary here ? (the 1st event of the seq should be enough to triage and less performance req)

process where host.os.type == "linux" and event.type == "start" and 
      process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and (
          /* bind shell to specific port or listener */
          process.args:("-*l*","-*p*")
          /* reverse shell to command-line interpreter used for command execution */
          or (process.args: "-e" and process.args:("/bin/bash","/bin/sh"))
          /* file transfer via stdout */
          or process.args:(">","<")
          /* file transfer via pipe */
          or (process.args:("|") and process.args:("nc","ncat"))
      ) and
      not process.command_line like~ ("*127.0.0.1*", "*localhost*")

'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"



[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

Loading