T1059.004 Potential Netcat Reverse Shell Execution

T1059.004 - Potential Netcat Reverse Shell Execution

DESCRIPTION

Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.

Example:

/ncat Shell Execution /nc Shell Execution

Related

LOLBINs Unux Execution

Reference:

https://github.com/SigmaHQ/sigma/blob/822f0b3d92b41a7a2021c1ec52f0053d764695e1/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://www.infosecademy.com/netcat-reverse-shells/

ATT&CK TACTICS

T1059.004 - Command and Scripting Interpreter: Unix Shell

Data Source(s): Command, Process

SENTINEL RULE QUERY

let selection_flags = dynamic([' -c ',' -e ' ]);
let selection_shell = dynamic([' ash', ' bash', ' bsh', ' csh', ' ksh', ' pdksh', ' sh', ' tcsh', '/bin/ash', '/bin/bash', '/bin/bsh', '/bin/csh', '/bin/ksh', '/bin/pdksh', '/bin/sh', '/bin/tcsh', '/bin/zsh', '$IFSash', '$IFSbash', '$IFSbsh', '$IFScsh', '$IFSksh', '$IFSpdksh', '$IFSsh', '$IFStcsh', '$IFSzsh']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FolderPath endswith "/ncat" or FolderPath endswith "/nc" //selection_nc
| where ProcessCommandLine has_any (selection_flags)
| where ProcessCommandLine has_any (selection_shell)

Triage

1. Validate the use of netcat in the environment, confirm with administrator team
2. Verify the account, timestamp, and command lines executed, whether the activity was approved.

FalsePositive

• Legitimate admin activities using netcat

VERSION

Version 1.0 (date: 15/03/2024)