Sigma rules for Net Crawler
11 rules · scoped to tool · back to Net Crawler
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential Netcat Reverse Shell Execution
id: 7f734ed0-4f47-46c0-837f-6ee62505abd9
status: test
description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
- https://www.infosecademy.com/netcat-reverse-shells/
- https://man7.org/linux/man-pages/man1/ncat.1.html
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-07
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_nc:
Image|endswith:
- '/nc'
- '/ncat'
selection_flags:
CommandLine|contains:
- ' -c '
- ' -e '
selection_shell:
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
- '/bin/ash'
- '/bin/bash'
- '/bin/bsh'
- '/bin/csh'
- '/bin/ksh'
- '/bin/pdksh'
- '/bin/sh'
- '/bin/tcsh'
- '/bin/zsh'
- '$IFSash'
- '$IFSbash'
- '$IFSbsh'
- '$IFScsh'
- '$IFSksh'
- '$IFSpdksh'
- '$IFSsh'
- '$IFStcsh'
- '$IFSzsh'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Suspicious Child Process of AspNetCompiler
id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
related:
- id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
type: similar
- id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
type: similar
- id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
type: similar
status: test
description: Detects potentially suspicious child processes of "aspnet_compiler.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
- https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\aspnet_compiler.exe'
selection_child:
# Note: add other potential suspicious child processes and paths
- Image|endswith:
- '\calc.exe'
- '\notepad.exe'
- Image|contains:
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Local\Roaming\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
related:
- id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
type: similar
- id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
type: similar
- id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
type: similar
status: test
description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
- https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
modified: 2025-02-24
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
Image|endswith: '\aspnet_compiler.exe'
CommandLine|contains:
# Note: add other potential suspicious paths
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Local\Roaming\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
condition: selection
falsepositives:
- Unknown
level: high
title: PUA - Netcat Suspicious Execution
id: e31033fc-33f0-4020-9a16-faf9b31cbf08
status: test
description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
- https://nmap.org/ncat/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
- https://www.revshells.com/
author: frack113, Florian Roth (Nextron Systems)
date: 2021-07-21
modified: 2023-02-08
tags:
- attack.command-and-control
- attack.t1095
logsource:
category: process_creation
product: windows
detection:
selection_img:
# can not use OriginalFileName as is empty
Image|endswith:
- '\nc.exe'
- '\ncat.exe'
- '\netcat.exe'
selection_cmdline:
# Typical command lines
CommandLine|contains:
- ' -lvp '
- ' -lvnp'
- ' -l -v -p '
- ' -lv -p '
- ' -l --proxy-type http '
# - ' --exec cmd.exe ' # Not specific enough for netcat
- ' -vnl --exec '
- ' -vnl -e '
- ' --lua-exec '
- ' --sh-exec '
condition: 1 of selection_*
falsepositives:
- Legitimate ncat use
level: high
title: Suspicious C2 Activities
id: f7158a64-6204-4d6d-868a-6e6378b467e0
status: test
description: |
Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.
This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
references:
- https://github.com/Neo23x0/auditd
author: Marie Euler
date: 2020-05-18
modified: 2021-11-27
tags:
- attack.command-and-control
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-w /usr/bin/wget -p x -k susp_activity
-w /usr/bin/curl -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity
-w /usr/bin/ncat -p x -k susp_activity
-w /usr/bin/ss -p x -k susp_activity
-w /usr/bin/netstat -p x -k susp_activity
-w /usr/bin/ssh -p x -k susp_activity
-w /usr/bin/scp -p x -k susp_activity
-w /usr/bin/sftp -p x -k susp_activity
-w /usr/bin/ftp -p x -k susp_activity
-w /usr/bin/socat -p x -k susp_activity
-w /usr/bin/wireshark -p x -k susp_activity
-w /usr/bin/tshark -p x -k susp_activity
-w /usr/bin/rawshark -p x -k susp_activity
-w /usr/bin/rdesktop -p x -k susp_activity
-w /usr/local/bin/rdesktop -p x -k susp_activity
-w /usr/bin/wlfreerdp -p x -k susp_activity
-w /usr/bin/xfreerdp -p x -k susp_activity
-w /usr/local/bin/xfreerdp -p x -k susp_activity
-w /usr/bin/nmap -p x -k susp_activity
(via https://github.com/Neo23x0/auditd/blob/ddf2603dbc985f97538d102f13b4e4446b402bae/audit.rules#L336)
detection:
selection:
key: 'susp_activity'
condition: selection
falsepositives:
- Admin or User activity
level: medium
title: Netcat The Powershell Version
id: c5b20776-639a-49bf-94c7-84f912b91c15
related:
- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
type: derived
status: test
description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
- https://nmap.org/ncat/
- https://github.com/besimorhino/powercat
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
author: frack113
date: 2021-07-21
modified: 2023-10-27
tags:
- attack.command-and-control
- attack.execution
- attack.t1095
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains:
- 'powercat '
- 'powercat.ps1'
condition: selection
falsepositives:
- Unknown
level: medium
title: Assembly DLL Creation Via AspNetCompiler
id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
related:
- id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
type: similar
- id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
type: similar
- id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
type: similar
status: test
description: |
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
tags:
- attack.execution
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\aspnet_compiler.exe'
TargetFilename|contains|all:
- '\Temporary ASP.NET Files\'
- '\assembly\tmp\'
- '.dll'
condition: selection
falsepositives:
- Legitimate assembly compilation using a build provider
level: medium
title: File Download Via InstallUtil.EXE
id: 75edd216-1939-4c73-8d61-7f3a0d85b5cc
status: test
description: |
Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/239
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\InstallUtil.exe'
- OriginalFileName: 'InstallUtil.exe'
selection_cli:
CommandLine|contains:
- 'ftp://'
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: AspNetCompiler Execution
id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
related:
- id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
type: similar
- id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
type: similar
- id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
type: similar
status: test
description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
- https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: frack113
date: 2021-11-24
modified: 2025-02-24
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
Image|endswith: '\aspnet_compiler.exe'
condition: selection
falsepositives:
- Unknown
level: medium
title: Potential File Download Via MS-AppInstaller Protocol Handler
id: 180c7c5c-d64b-4a63-86e9-68910451bc8b
related:
- id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
type: derived
status: test
description: |
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
references:
- https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'ms-appinstaller://?source='
- 'http'
condition: selection
falsepositives:
- Unknown
level: medium
title: File Download Using ProtocolHandler.exe
id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
status: test
description: |
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/
author: frack113
date: 2021-07-13
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\protocolhandler.exe'
- OriginalFileName: 'ProtocolHandler.exe'
selection_cli:
CommandLine|contains:
- 'ftp://'
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium