[Rule Tuning] File Transfer or Listener Established via Netcat (#5223)

* [Rule Tuning] File Transfer or Listener Established via Netcat

* Formatting

* Update execution_file_transfer_or_listener_established_via_netcat.toml

* Update execution_file_transfer_or_listener_established_via_netcat.toml

* Add timestamp override to netcat execution rule

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

Author: Aegrah

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/10/15"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ false_positives = [
 from = "now-9m"
 index = [
     "auditbeat-*",
-    "logs-endpoint.events.network*",
+    "endgame-*",
+    "logs-auditd_manager.auditd-*",
+    "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
 ]
@@ -121,46 +123,41 @@ tags = [
     "Tactic: Execution",
     "Resources: Investigation Guide",
     "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
+    "Data Source: Auditd Manager",
+    "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
 ]
+timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-sequence by process.entity_id
-  [process where host.os.type == "linux" and event.type == "start" and
-      process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and (
-          /* bind shell to echo for command execution */
-          (process.args:("-l","-p") and process.args:("-c","echo","$*"))
-          /* bind shell to specific port */
-          or process.args:("-l","-p","-lp")
-          /* reverse shell to command-line interpreter used for command execution */
-          or (process.args:("-e") and process.args:("/bin/bash","/bin/sh"))
-          /* file transfer via stdout */
-          or process.args:(">","<")
-          /* file transfer via pipe */
-          or (process.args:("|") and process.args:("nc","ncat"))
-      ) and
-      not process.command_line like~ ("*127.0.0.1*", "*localhost*")]
-  [network where host.os.type == "linux" and (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or
-                  process.name == "netcat.openbsd" or process.name == "netcat.traditional")]
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and
+process.args like~ (
+  /* bind shell to specific port or listener */
+  "-*l*","-*p*",
+  /* reverse shell to command-line interpreter used for command execution */
+  "-*e*",
+  /* file transfer via stdout/pipe */
+  ">","<", "|"
+)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"
 
-
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-