From 542226524c5cfb9ce4e59e2a0e0ed8f4279296fa Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Wed, 15 Oct 2025 09:34:07 +0200 Subject: [PATCH 1/5] [Rule Tuning] File Transfer or Listener Established via Netcat --- ...er_or_listener_established_via_netcat.toml | 25 +++++++------------ 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index ba6fb226b66..02982b9cacd 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/10/15" [rule] author = ["Elastic"] @@ -20,7 +20,6 @@ false_positives = [ ] from = "now-9m" index = [ - "auditbeat-*", "logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", @@ -124,15 +123,12 @@ tags = [ "Data Source: SentinelOne", ] type = "eql" - query = ''' -sequence by process.entity_id - [process where host.os.type == "linux" and event.type == "start" and - process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and ( - /* bind shell to echo for command execution */ - (process.args:("-l","-p") and process.args:("-c","echo","$*")) - /* bind shell to specific port */ - or process.args:("-l","-p","-lp") +sequence by process.entity_id with maxspan=1m + [process where host.os.type == "linux" and event.type == "start" + process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and ( + /* bind shell to specific port or listener */ + or process.args:("-*l*","-*p*") /* reverse shell to command-line interpreter used for command execution */ or (process.args:("-e") and process.args:("/bin/bash","/bin/sh")) /* file transfer via stdout */ @@ -141,26 +137,23 @@ sequence by process.entity_id or (process.args:("|") and process.args:("nc","ncat")) ) and not process.command_line like~ ("*127.0.0.1*", "*localhost*")] - [network where host.os.type == "linux" and (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or - process.name == "netcat.openbsd" or process.name == "netcat.traditional")] + [network where host.os.type == "linux" and process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - From 1a657635190022f4e93fa35e0ce7c40fa1a00c1e Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Wed, 15 Oct 2025 09:39:00 +0200 Subject: [PATCH 2/5] Formatting --- ...er_or_listener_established_via_netcat.toml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 02982b9cacd..0dbe04fbe9d 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -125,18 +125,18 @@ tags = [ type = "eql" query = ''' sequence by process.entity_id with maxspan=1m - [process where host.os.type == "linux" and event.type == "start" - process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and ( - /* bind shell to specific port or listener */ - or process.args:("-*l*","-*p*") - /* reverse shell to command-line interpreter used for command execution */ - or (process.args:("-e") and process.args:("/bin/bash","/bin/sh")) - /* file transfer via stdout */ - or process.args:(">","<") - /* file transfer via pipe */ - or (process.args:("|") and process.args:("nc","ncat")) - ) and - not process.command_line like~ ("*127.0.0.1*", "*localhost*")] + [process where host.os.type == "linux" and event.type == "start" and + process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and + ( + /* bind shell to specific port or listener */ + process.args:("-*l*","-*p*") or + /* reverse shell to command-line interpreter used for command execution */ + (process.args:("-e") and process.args:("/bin/bash","/bin/sh")) or + /* file transfer via stdout */ + process.args:(">","<") or + /* file transfer via pipe */ + (process.args:("|") and process.args:("nc","ncat")) + ) and not process.command_line like~ ("*127.0.0.1*", "*localhost*")] [network where host.os.type == "linux" and process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional")] ''' From bd1374958d2817f02037a5887289a6e4f05b0c4b Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 27 Oct 2025 09:45:22 +0100 Subject: [PATCH 3/5] Update execution_file_transfer_or_listener_established_via_netcat.toml --- ...er_or_listener_established_via_netcat.toml | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 0dbe04fbe9d..3f88bc9c53c 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -124,20 +124,19 @@ tags = [ ] type = "eql" query = ''' -sequence by process.entity_id with maxspan=1m - [process where host.os.type == "linux" and event.type == "start" and - process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and - ( - /* bind shell to specific port or listener */ - process.args:("-*l*","-*p*") or - /* reverse shell to command-line interpreter used for command execution */ - (process.args:("-e") and process.args:("/bin/bash","/bin/sh")) or - /* file transfer via stdout */ - process.args:(">","<") or - /* file transfer via pipe */ - (process.args:("|") and process.args:("nc","ncat")) - ) and not process.command_line like~ ("*127.0.0.1*", "*localhost*")] - [network where host.os.type == "linux" and process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional")] +process where host.os.type == "linux" and event.type == "start" and +process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and +( + /* bind shell to specific port or listener */ + process.args:("-*l*","-*p*") or + /* reverse shell to command-line interpreter used for command execution */ + (process.args:("-*e*")) or + /* file transfer via stdout */ + process.args:(">","<") or + /* file transfer via pipe */ + (process.args:"|") +) and +not process.command_line like~ ("*127.0.0.1*", "*localhost*") ''' [[rule.threat]] From 17180dd3d16b31c9e2a5e1bbaae28a09b8b6ba8d Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 27 Oct 2025 09:50:41 +0100 Subject: [PATCH 4/5] Update execution_file_transfer_or_listener_established_via_netcat.toml --- ...er_or_listener_established_via_netcat.toml | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 3f88bc9c53c..57f4c1e1149 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" updated_date = "2025/10/15" @@ -20,7 +20,10 @@ false_positives = [ ] from = "now-9m" index = [ - "logs-endpoint.events.network*", + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", ] @@ -120,23 +123,24 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", "Data Source: SentinelOne", ] type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and -( +process.args like~ ( /* bind shell to specific port or listener */ - process.args:("-*l*","-*p*") or + "-*l*","-*p*", /* reverse shell to command-line interpreter used for command execution */ - (process.args:("-*e*")) or - /* file transfer via stdout */ - process.args:(">","<") or - /* file transfer via pipe */ - (process.args:"|") -) and -not process.command_line like~ ("*127.0.0.1*", "*localhost*") + "-*e*", + /* file transfer via stdout/pipe */ + ">","<", "|" +) ''' [[rule.threat]] From 69c6d16fb56505a6f54112381e546e7d23f2b3b4 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 31 Oct 2025 10:39:27 +0100 Subject: [PATCH 5/5] Add timestamp override to netcat execution rule --- ...ecution_file_transfer_or_listener_established_via_netcat.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 57f4c1e1149..59cdf65a41e 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -128,6 +128,7 @@ tags = [ "Data Source: Crowdstrike", "Data Source: SentinelOne", ] +timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and