Skip to content

Instantly share code, notes, and snippets.

@Samirbous

Samirbous/Potential Shell Execution via NetCat

Created October 23, 2025 08:01
Show Gist options
  • Save Samirbous/1190517139a1542a7d7a1fec1fd6bde8 to your computer and use it in GitHub Desktop.
Save Samirbous/1190517139a1542a7d7a1fec1fd6bde8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Potential Shell Execution via NetCat
{
"_index": ".ds-alert_telemetry_elastic-2025.10.19-001577",
"_id": "308d63d342f925186e07ebbbd35831db69faeb068099fc2e9f0a01d5d4c8a9b9",
"_version": 1,
"_source": {
"@timestamp": "2025-10-21T10:11:02.108000Z",
"agent": {
"build": {
"original": "version: 9.1.2, compiled: Thu Aug 7 15:00:00 2025, branch: HEAD, commit: 26c15136855b7ac73fdaa74b77e6492f254420c5"
},
"id": "6570a119-1004-44eb-b3eb-5324657de79e",
"type": "endpoint",
"version": "9.1.2"
},
"Endpoint": {
"policy": {
"applied": {
"name": "myDefend",
"id": "27c05512-d3ed-4826-9f1d-d8876a66d61a",
"endpoint_policy_version": "11",
"version": "12",
"artifacts": {
"global": {
"manifest_type": "stable",
"identifiers": [
{
"sha256": "44341700c27a82d3b4a8471cfe8a57447fc6ddbac8f1e855707dd3767e9491e2",
"name": "diagnostic-configuration-v1"
},
{
"sha256": "338eb3e0d0c2b7efcd291ca270a0a6188d3632a25c7a8dc5d020fdb44293e12f",
"name": "diagnostic-endpointpe-v4-blocklist"
},
{
"sha256": "a020a49c7b76c56d44a06021fca7107441c5a58fed934d066927f4f62b0f5973",
"name": "diagnostic-endpointpe-v4-exceptionlist"
},
{
"sha256": "75243507347ddd2a28bdc646127a250023036709bccbdf82f65accd6b13c2e37",
"name": "diagnostic-endpointpe-v4-model"
},
{
"sha256": "fd827c57f7b99723b3f6f7dbf0c2644ac5147f4ebbe320edc6ccd4b7ce68001c",
"name": "diagnostic-malware-signature-v1-windows"
},
{
"sha256": "9636fb1bda16d4dc236d40d2aeb379f30d81276028e9b3048002e3ca6a83dfb5",
"name": "diagnostic-ransomware-v1-windows"
},
{
"sha256": "9dee7d7020b2d107d158087e798f3f41e46f4debb2a49bc0c85ce42fbcfbfa90",
"name": "diagnostic-rules-windows-v1"
},
{
"sha256": "1c0de0df678f1e42eed7635722be3e82fd6731585bc2618086d126ec9b70121b",
"name": "endpointpe-v4-blocklist"
},
{
"sha256": "32f384e1601ac318f7615a02244e54873b5865bcb4ff61e754361a9b80ddf582",
"name": "endpointpe-v4-exceptionlist"
},
{
"sha256": "cf2335c28acaee3072ffd893f229242be71ba75043ae96576227f9fea651c497",
"name": "endpointpe-v4-model"
},
{
"sha256": "85501044f22938c806155e33a171abbce9eb4c1544d45d45c6c049c7cb1395d7",
"name": "global-configuration-v1"
},
{
"sha256": "3a6bf42f273a2e663d9ad273b445cca21d9da8bb336f6f62b262dc55598e1005",
"name": "global-eventfilterlist-windows-v1"
},
{
"sha256": "f50a756ecf8fd5c4fbe40efbec2bac52f9deb1dab44850f107b4b27663406573",
"name": "global-exceptionlist-windows"
},
{
"sha256": "aaeab218a20828574c347e88ecb4eb411ffca9e8496c484327b2213f49e1dc9e",
"name": "global-trustlist-windows-v1"
},
{
"sha256": "b67908fbe7ac0f52d0f5eb41942e1321b297a2a3ce0fac9a4dcc5d9d2931b84a",
"name": "production-malware-signature-v1-windows"
},
{
"sha256": "e3efc40c7e3fc0a590a074011abf990ab120f9f182b3dbca7b32ee58d0e5c3aa",
"name": "production-ransomware-v1-windows"
},
{
"sha256": "608fb0db8fa37493c5cdcbb4e319ff911937bb8b021efc3efb7d58d1cf88d3bf",
"name": "production-rules-windows-v1"
},
{
"sha256": "07f2a166efe84d3b52b6cd8b841f33ffe6eb8e2297cefd4eaa3e50e567b4d30e",
"name": "tamper-protection-config-v1"
}
],
"channel": "default",
"update_age": 0,
"version": "1.0.1650+2025-10-20-daily",
"snapshot": "latest"
},
"user": {
"identifiers": [
{
"sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"name": "endpoint-blocklist-windows-v1"
},
{
"sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"name": "endpoint-eventfilterlist-windows-v1"
},
{
"sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"name": "endpoint-exceptionlist-windows-v1"
},
{
"sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"name": "endpoint-hostisolationexceptionlist-windows-v1"
},
{
"sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"name": "endpoint-trustlist-windows-v1"
}
],
"version": "1.0.0"
}
}
}
}
},
"data_stream": {
"namespace": "default",
"type": ".logs",
"dataset": "endpoint.diagnostic.collection"
},
"ecs": {
"version": "8.10.0"
},
"elastic": {
"agent": {
"id": "6570a119-1004-44eb-b3eb-5324657de79e"
}
},
"Events": [
{
"event": {
"created": "2025-10-21T10:06:36.4134873Z",
"kind": "event",
"action": [
"start"
],
"id": "OD7Qsc+w5oDgnoVp+++11d37",
"category": [
"process"
],
"type": [
"start"
],
"outcome": "unknown"
},
"message": "Endpoint process event",
"process": {
"parent": {
"args": [
"nc.exe",
"-nvlp",
"4444",
"-e",
"cmd.exe"
],
"entity_id": "x4wzHpCYxQEraTE6uPyqqw",
"name": "nc.exe",
"executable": "C:\\Users\\Administrator\\Downloads\\nc.exe",
"code_signature": {
"trusted": true,
"subject_name": "Jernej Simoncic - Open Source Developer",
"exists": true,
"status": "trusted"
},
"command_line": "nc.exe -nvlp 4444 -e cmd.exe",
"pid": 13696,
"Ext": {
"code_signature": [
{
"trusted": true,
"subject_name": "Jernej Simoncic - Open Source Developer",
"exists": true,
"status": "trusted"
}
]
},
"thread": {
"Ext": {
"call_stack_summary": "ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|kernelbase.dll|nc.exe|kernel32.dll|ntdll.dll",
"call_stack": [
{
"symbol_info": "C:\\Windows\\System32\\ntdll.dll!NtCreateUserProcess+0x14"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64IsStackExtentsCheckEnforced+0x1395"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64IsStackExtentsCheckEnforced+0xb81"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64SystemServiceEx+0x153"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64cpu.dll!TurboDispatchJumpAddressEnd+0xb"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64cpu.dll!BTCpuSimulate+0x9"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64LdrpInitialize+0x25a"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64LdrpInitialize+0x120"
},
{
"symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitShimEngineDynamic+0x31dd"
},
{
"symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitializeThunk+0x1db"
},
{
"symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitializeThunk+0x63"
},
{
"symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitializeThunk+0xe"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!NtCreateUserProcess+0xc"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\KernelBase.dll!CreateProcessInternalW+0x194f"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\KernelBase.dll!CreateProcessInternalA+0x28b"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\KernelBase.dll!CreateProcessA+0x2c"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x25ac"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x2019"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x210d"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x5176"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x10db"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x1178"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\kernel32.dll!BaseThreadInitThunk+0x19"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!RtlGetAppContainerNamedObjectPath+0xed"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!RtlGetAppContainerNamedObjectPath+0xbd"
}
]
}
}
},
"args": [
"cmd.exe"
],
"entity_id": "+b+2zcKvA/s0DF0AqKN/cw",
"name": "cmd.exe",
"executable": "C:\\Windows\\SysWOW64\\cmd.exe",
"code_signature": {
"trusted": true,
"subject_name": "Microsoft Windows",
"exists": true,
"status": "trusted"
},
"command_line": "cmd.exe",
"hash": {
"sha256": "b94d1c553c7ef81df040d6be59120eb0a8f67aec1a787a2b6b537309cbaf8cc4"
},
"pid": 15536,
"pe": {
"imphash": "392b4d61b1d1dadc1f06444df258188a",
"original_file_name": "Cmd.Exe"
},
"Ext": {
"mitigation_policies": [
"CF Guard"
],
"ancestry": [
"x4wzHpCYxQEraTE6uPyqqw",
"DG0i3P+N95HJTex40guagg",
"gOTarFPsizbG5hbDup8/YA",
"+e3YbstTtSH+f2HULjd8Yw",
"1Kg8jOr53Qh/Hw60n40n0g"
],
"code_signature": [
{
"trusted": true,
"subject_name": "Microsoft Windows",
"exists": true,
"status": "trusted"
}
],
"hidden": {
"behaviors": {
"api": [],
"network": {
"incoming": [],
"outgoing": []
}
}
},
"session_info": {
"authentication_package": "NTLM",
"relative_password_age": 29456567.5911947,
"user_flags": [
"LOGON_EXTRA_SIDS",
"LOGON_NTLMV2_ENABLED",
"LOGON_WINLOGON"
],
"relative_logon_time": 327150.1856445,
"id": 1,
"logon_type": "Interactive"
},
"relative_file_creation_time": 147291086.8067533,
"authentication_id": "0x1a1997",
"relative_file_name_modify_time": 147291086.7911209,
"token": {
"integrity_level_name": "high",
"security_attributes": [
"TSA://ProcUnique"
],
"elevation_level": "default"
}
}
},
"user": {
"id": "S-1-5-21-2202811333-351044183-798744757-500"
}
}
],
"rule": {
"id": "2e80dd26-3966-4a16-9fad-ac643b5dd66e",
"name": "DIAG: Potential Shell Execution via NetCat",
"ruleset": "diagnostic",
"version": "1.0.0"
},
"host": {
"architecture": "x86_64",
"id": "cb7eef6d-979b-434c-b48f-5a91a9c6cfcf",
"os": {
"Ext": {
"variant": "Windows Server 2019 Standard"
},
"kernel": "1809 (10.0.17763.2061)",
"name": "Windows",
"family": "windows",
"type": "windows",
"version": "1809 (10.0.17763.2061)",
"platform": "windows",
"full": "Windows Server 2019 Standard 1809 (10.0.17763.2061)"
}
},
"event": {
"Ext": {
"diagnostic_alert_rate": {
"hits_rule": 2,
"hits_code": 12,
"remaining_tokens": 86
}
},
"severity": 99,
"code": "behavior",
"risk_score": 99,
"created": "2025-10-21T10:06:36.4131334Z",
"kind": "alert",
"module": "endpoint",
"type": [
"info",
"allowed"
],
"agent_id_status": "verified",
"sequence": 349416,
"ingested": "2025-10-21T10:06:50Z",
"action": "rule_detection",
"id": "OD7Qsc+w5oDgnoVp+++11d3J",
"category": [
"malware",
"intrusion_detection"
],
"dataset": "endpoint.diagnostic.collection",
"outcome": "success"
},
"message": "Malicious Behavior Detection Alert: DIAG: Potential Shell Execution via NetCat",
"process": {
"parent": {
"args": [
"nc.exe",
"-nvlp",
"4444",
"-e",
"cmd.exe"
],
"entity_id": "x4wzHpCYxQEraTE6uPyqqw",
"name": "nc.exe",
"executable": "C:\\Users\\Administrator\\Downloads\\nc.exe",
"code_signature": {
"trusted": true,
"subject_name": "Jernej Simoncic - Open Source Developer",
"exists": true,
"status": "trusted"
},
"command_line": "nc.exe -nvlp 4444 -e cmd.exe",
"pid": 13696,
"Ext": {
"code_signature": [
{
"trusted": true,
"subject_name": "Jernej Simoncic - Open Source Developer",
"exists": true,
"status": "trusted"
}
]
},
"thread": {
"Ext": {
"call_stack_summary": "ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|kernelbase.dll|nc.exe|kernel32.dll|ntdll.dll",
"call_stack": [
{
"symbol_info": "C:\\Windows\\System32\\ntdll.dll!NtCreateUserProcess+0x14"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64IsStackExtentsCheckEnforced+0x1395"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64IsStackExtentsCheckEnforced+0xb81"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64SystemServiceEx+0x153"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64cpu.dll!TurboDispatchJumpAddressEnd+0xb"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64cpu.dll!BTCpuSimulate+0x9"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64LdrpInitialize+0x25a"
},
{
"symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64LdrpInitialize+0x120"
},
{
"symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitShimEngineDynamic+0x31dd"
},
{
"symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitializeThunk+0x1db"
},
{
"symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitializeThunk+0x63"
},
{
"symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitializeThunk+0xe"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!NtCreateUserProcess+0xc"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\KernelBase.dll!CreateProcessInternalW+0x194f"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\KernelBase.dll!CreateProcessInternalA+0x28b"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\KernelBase.dll!CreateProcessA+0x2c"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x25ac"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x2019"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x210d"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x5176"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x10db"
},
{
"symbol_info": "C:\\Users\\Administrator\\Downloads\\nc.exe+0x1178"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\kernel32.dll!BaseThreadInitThunk+0x19"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!RtlGetAppContainerNamedObjectPath+0xed"
},
{
"symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!RtlGetAppContainerNamedObjectPath+0xbd"
}
]
}
}
},
"args": [
"cmd.exe"
],
"entity_id": "+b+2zcKvA/s0DF0AqKN/cw",
"name": "cmd.exe",
"executable": "C:\\Windows\\SysWOW64\\cmd.exe",
"code_signature": {
"trusted": true,
"subject_name": "Microsoft Windows",
"exists": true,
"status": "trusted"
},
"command_line": "cmd.exe",
"hash": {
"sha256": "b94d1c553c7ef81df040d6be59120eb0a8f67aec1a787a2b6b537309cbaf8cc4"
},
"pid": 15536,
"pe": {
"imphash": "392b4d61b1d1dadc1f06444df258188a",
"original_file_name": "Cmd.Exe"
},
"Ext": {
"mitigation_policies": [
"CF Guard"
],
"ancestry": [
"x4wzHpCYxQEraTE6uPyqqw",
"DG0i3P+N95HJTex40guagg",
"gOTarFPsizbG5hbDup8/YA",
"+e3YbstTtSH+f2HULjd8Yw",
"1Kg8jOr53Qh/Hw60n40n0g"
],
"code_signature": [
{
"trusted": true,
"subject_name": "Microsoft Windows",
"exists": true,
"status": "trusted"
}
],
"hidden": {
"behaviors": {
"api": [],
"network": {
"incoming": [],
"outgoing": []
}
}
},
"session_info": {
"authentication_package": "NTLM",
"relative_password_age": 29456567.5911947,
"user_flags": [
"LOGON_EXTRA_SIDS",
"LOGON_NTLMV2_ENABLED",
"LOGON_WINLOGON"
],
"relative_logon_time": 327150.1856445,
"id": 1,
"logon_type": "Interactive"
},
"relative_file_creation_time": 147291086.8067533,
"authentication_id": "0x1a1997",
"relative_file_name_modify_time": 147291086.7911209,
"token": {
"integrity_level_name": "high",
"security_attributes": [
"TSA://ProcUnique"
],
"elevation_level": "default"
}
}
},
"threat": [
{
"tactic": {
"reference": "https://attack.mitre.org/tactics/TA0002/",
"name": "Execution",
"id": "TA0002"
},
"technique": [
{
"reference": "https://attack.mitre.org/techniques/T1059/",
"name": "Command and Scripting Interpreter",
"subtechnique": [
{
"reference": "https://attack.mitre.org/techniques/T1059/003/",
"name": "Windows Command Shell",
"id": "T1059.003"
},
{
"reference": "https://attack.mitre.org/techniques/T1059/001/",
"name": "PowerShell",
"id": "T1059.001"
}
],
"id": "T1059"
}
]
}
],
"user": {
"id": "S-1-5-21-2202811333-351044183-798744757-500"
},
"cluster_uuid": "8s9OKKlRR1GIgEcNLLdaYA",
"cluster_name": "3c91b0724dbf472dadec536cfb24e52d",
"license": {
"uid": "90db30a7-19e4-42e6-b1fc-c76567ada0e2",
"status": "active",
"type": "enterprise",
"issued_to": "Elastic Cloud",
"issuer": "API"
},
"channel": "alerts-endpoint",
"location": "gs://elastic-telemetry-prod-data/raw/alerts-endpoint/2025/10/21/47732d88ce67b8c994f9f245ac32e00a-1761041461.9739695",
"version": "9.1.2",
"cloud": {
"deployment_info": {
"cluster_name": "3c91b0724dbf472dadec536cfb24e52d",
"is_cloud": true,
"domain": "[email protected]",
"is_elastic_internal": true,
"in_trial": false,
"account_uuid": "586246785",
"deployment_parent": "3c91b0724dbf472dadec536cfb24e52d",
"create_date": "2025-08-25T09:25:51+00:00",
"industry": "sn-unavailable",
"cloudCustomerDeploymentMetadata": {
"cloud_docid": "kpi-deployments-hourly-2025-10-19-13_3c91b0724dbf472dadec536cfb24e52d",
"timestamp_cloud": "2025-10-19T13:00:00+00:00",
"timestamp_sda": "2025-10-20T12:56:45.563752664Z"
}
}
}
},
"fields": {
"event.ingested": [
"2025-10-21T10:06:50.000Z"
],
"@timestamp": [
"2025-10-21T10:11:02.108Z"
],
"cloud.deployment_info.create_date": [
"2025-08-25T09:25:51.000Z"
],
"Events.event.created": [
"2025-10-21T10:06:36.413Z"
],
"cloud.deployment_info.cloudCustomerDeploymentMetadata.timestamp_cloud": [
"2025-10-19T13:00:00.000Z"
],
"cloud.deployment_info.cloudCustomerDeploymentMetadata.timestamp_sda": [
"2025-10-20T12:56:45.563Z"
],
"event.created": [
"2025-10-21T10:06:36.413Z"
]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment