TFTP_GET nc.exe


Code: p617

Severity: Warning


Description: This event is generated when a TFTP GET request is made for "nc.exe". This could be an indication that a remote attacker has compromised a Windows based system and is attempting to move attack tools onto the system.

Impact: In normal situations this is a good indication that the host transmitting the request has been compromised by a remote attacker. If the request was successful it is a clear indication that the host is now under the control of a remote attacker. Once "nc.exe" is executed on the compromised system a remote attacker will be able to run arbitrary commands with the privilege level of the user that exected "nc.exe" Detailed Information: NetCat (nc.exe) is a widely used Unix and Windows utility that reads and writes data across network connections. It can be used to redirect an application's input and output across a network and allows remote attackers an easy way to move rootkits and other tools onto a compromised system. Currently this rule searches for "nc.exe" in TFTP GET requests. Many times this rule will detect the first stages of a remote compromise attempt, as many attackers use NetCat to gain a command prompt on Windows based systems.

Corrective: The host generating the request should be investigated for evidence of a compromise. If it is determined that the system has been compromised the only safe way to recover the system is to format the system drives and re-install the system.