← Back to Explore
sigmalowHunting
Net.EXE Execution
Detects execution of "Net.EXE".
MITRE ATT&CK
discoverylateral-movement
Detection Query
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe
selection_cli:
CommandLine|contains:
- " accounts"
- " group"
- " localgroup"
- " share"
- " start"
- " stop "
- " user"
- " view"
condition: all of selection_*
Author
Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)
Created
2019-01-16
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
- https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
- https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html
- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe
Tags
attack.discoveryattack.t1007attack.t1049attack.t1018attack.t1135attack.t1201attack.t1069.001attack.t1069.002attack.t1087.001attack.t1087.002attack.lateral-movementattack.t1021.002attack.s0039detection.threat-hunting
Raw Content
title: Net.EXE Execution
id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
status: test
description: Detects execution of "Net.EXE".
references:
- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
- https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
- https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html
- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe
author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)
date: 2019-01-16
modified: 2022-07-11
tags:
- attack.discovery
- attack.t1007
- attack.t1049
- attack.t1018
- attack.t1135
- attack.t1201
- attack.t1069.001
- attack.t1069.002
- attack.t1087.001
- attack.t1087.002
- attack.lateral-movement
- attack.t1021.002
- attack.s0039
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains:
- ' accounts'
- ' group'
- ' localgroup'
- ' share'
- ' start'
- ' stop '
- ' user'
- ' view'
condition: all of selection_*
falsepositives:
- Likely
level: low