100 Days of YARA – Day 23: socat

socat is a tool similar to netcat which allows its user to redirect network traffic. Popular with penetration testers, researchers, systems administrators, and threat actors alike, socat has legitimate uses but is often abused by attackers to establish shells or exfiltrate data.

Here are examples of this tool being used legitimately:

Here are examples of socat being abused:

This rule will detect potential socat binaries. It is worth investigating if matches reside on an uncommon filesystem path:

rule socat
{
	meta:
		description = "socat multipurpose relay"
		reference = "http://www.dest-unreach.org/socat/"

	strings:
		$ = "socat version %s on %s"

	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 23: socat

  1. Pingback: Week 03 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s