Netcat Network Activity

edit

A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.

Rule type: query

Rule indices:

  • auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

References:

Tags:

  • Elastic
  • Linux

Version: 2 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.7.0

Potential false positives

edit

Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.

Rule query

edit
process.name:(nc or ncat or netcat or netcat.openbsd or
netcat.traditional) and event.action:(bound-socket or connected-to or
socket_opened)

Rule version history

edit
Version 2 (7.7.0 release)

Updated query, changed from:

process.name: (nc or ncat or netcat or netcat.openbsd or
netcat.traditional) and event.action: (connected-to or bound-socket or
socket_opened)