← Back to Explore
sigmamediumHunting
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
Detection Query
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe
selection_group_root:
CommandLine|contains:
- " group "
- " localgroup "
selection_group_flags:
CommandLine|contains:
- domain admins
- " administrator"
- " administrateur"
- enterprise admins
- Exchange Trusted Subsystem
- Remote Desktop Users
- Utilisateurs du Bureau à distance
- Usuarios de escritorio remoto
- " /do"
filter_group_add:
CommandLine|contains: " /add"
selection_accounts_root:
CommandLine|contains: " accounts "
selection_accounts_flags:
CommandLine|contains: " /do"
condition: selection_img and ((all of selection_group_* and not
filter_group_add) or all of selection_accounts_*)
Author
Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
Created
2019-01-16
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.discoveryattack.t1087.001attack.t1087.002
Raw Content
title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
status: test
description: |
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
references:
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-03-02
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
# Covers group and localgroup flags
selection_group_root:
CommandLine|contains:
- ' group '
- ' localgroup '
selection_group_flags:
CommandLine|contains:
# Add more groups for other languages
- 'domain admins'
- ' administrator' # Typo without an 'S' so we catch both
- ' administrateur' # Typo without an 'S' so we catch both
- 'enterprise admins'
- 'Exchange Trusted Subsystem'
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
- ' /do' # short for domain
filter_group_add:
# This filter is added to avoid the potential case where the point is not recon but addition
CommandLine|contains: ' /add'
# Covers 'accounts' flag
selection_accounts_root:
CommandLine|contains: ' accounts '
selection_accounts_flags:
CommandLine|contains: ' /do' # short for domain
condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)
falsepositives:
- Inventory tool runs
- Administrative activity
level: medium