Netcat Listener Established Inside A Container
editNetcat Listener Established Inside A Container
editThis rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence or exfiltrating data.
Rule type: eql
Rule indices:
- logs-cloud_defend*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Data Source: Elastic Defend for Containers
- Domain: Container
- OS: Linux
- Use Case: Threat Detection
- Tactic: Execution
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where container.id: "*" and event.type== "start" and event.action in ("fork", "exec") and ( process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") ) and ( /* bind shell to echo for command execution */ (process.args:("-*l*", "--listen", "-*p*", "--source-port") and process.args:("-c", "--sh-exec", "-e", "--exec", "echo","$*")) /* bind shell to specific port */ or process.args:("-*l*", "--listen", "-*p*", "--source-port") )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: Unix Shell
- ID: T1059.004
- Reference URL: https://attack.mitre.org/techniques/T1059/004/