Skip to content
Threat Feed
medium advisory

Powercat PowerShell Implementation Detection

Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.

Powercat is a PowerShell script that functions similarly to the traditional Netcat utility, allowing for network communication using TCP and UDP. Attackers can use Powercat to establish reverse shells, transfer files, and perform port scanning within a compromised environment. This activity is often employed during post-exploitation phases to maintain access and propagate further into the network. Defenders should be aware of PowerShell scripts invoking Powercat, especially in environments…

Detection coverage 2

Detect Powercat Use via PowerShell Classic Logs

medium

Detects the execution of Powercat via PowerShell Classic logs based on the presence of 'powercat ' or 'powercat.ps1' in the logs.

sigma tactics: command_and_control, execution techniques: T1059.001, T1095 sources: ps_classic_start, windows

Detect Powercat Script Download

medium

Detects the download of powercat.ps1 script from the internet using powershell

sigma tactics: command_and_control, execution techniques: T1059.001, T1095 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →