socat is a tool similar to netcat which allows its user to redirect network traffic. Popular with penetration testers, researchers, systems administrators, and threat actors alike, socat has legitimate uses but is often abused by attackers to establish shells or exfiltrate data.
Here are examples of this tool being used legitimately:
Here are examples of socat being abused:
- https://assume-breach.medium.com/using-https-redirectors-with-metasploit-and-silenttrinity-c2-frameworks-4a5639e025ca
- https://artkond.com/2017/03/23/pivoting-guide/#socat
This rule will detect potential socat binaries. It is worth investigating if matches reside on an uncommon filesystem path:
rule socat
{
meta:
description = "socat multipurpose relay"
reference = "http://www.dest-unreach.org/socat/"
strings:
$ = "socat version %s on %s"
condition:
all of them
}
DMFR SECURITY 
Pingback: Week 03 – 2022 – This Week In 4n6