valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: some often used ncat command line strings

Browse Source
This commit is contained in:
Florian Roth 2021-07-22 15:00:50 +02:00 committed by GitHub
parent 1b537cac5d
commit cbc7a746d4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
rules/windows/process_creation/sysmon_netcat_execution.yml
View File

@ -18,7 +18,14 @@ detection:
# can not use OriginalFileName as is empty
Image|endswith:
- '\ncat.exe'
condition: selection
selection_cmdline:
# Typical command lines
CommandLine|contains:
- ' -lvp '
- ' -l --proxy-type http '
- ' --exec cmd.exe '
- ' -vnl --exec '
condition: selection or selection_cmdline
falsepositives:
- Legitimate ncat use
level: medium