Netcat Execution Detected
No violationsstackroxmediumruntimeDetects execution of netcat in a container
- Rationale
- netcat is a known malicious process
- Remediation
- Consider removing package managers during the build process that could be used to download such software. Check that exposed ports don't allow for remote code execution
CategoriesNetwork Tools
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.4(b)
- ISO/IEC 27001 2022
- A.8.20
- NIST SP 800-53 rev. 5
- CM-7
- PCI DSS 4.0
- 2.2.4
Generated artifacts
1 of 5 targets supportednetcat-execution-detected.yaml
- rule: netcat-execution-detected
desc: Detects execution of netcat in a container
condition: proc.name in ("nc")
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Netcat Execution Detected)
priority: WARNING
source: syscall
tags:
- stackrox-import
- policy
IR (canonical)
{
"id": "6abf0df8-736b-4530-8849-6a1344cf17fe",
"name": "Netcat Execution Detected",
"description": "Detects execution of netcat in a container",
"rationale": "netcat is a known malicious process",
"remediation": "Consider removing package managers during the build process that could be used to download such software. Check that exposed ports don't allow for remote code execution",
"severity": "medium",
"categories": [
"Network Tools"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "process-name",
"values": [
"nc"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "6abf0df8-736b-4530-8849-6a1344cf17fe",
"name": "Netcat Execution Detected",
"description": "Detects execution of netcat in a container",
"rationale": "netcat is a known malicious process",
"remediation": "Consider removing package managers during the build process that could be used to download such software. Check that exposed ports don't allow for remote code execution",
"disabled": false,
"categories": [
"Network Tools"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Process Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "nc"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0007",
"techniques": [
"T1046"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}