splunk_escuHunting

Windows Network Share Interaction Via Net

The following analytic identifies network share discovery and collection activities performed on Windows systems using the Net command. Attackers often use network share discovery to identify accessible shared resources within a network, which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection activities.

MITRE ATT&CK

T1135 T1039

Detection Query

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE (
        `process_net`
        OR
        (Processes.process_name="net.exe"
        OR
        Processes.original_file_name="net.exe")
    )
    AND Processes.process IN ("*use *", "*view*")
  BY Processes.action Processes.dest Processes.original_file_name
     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
     Processes.process Processes.process_exec Processes.process_guid
     Processes.process_hash Processes.process_id Processes.process_integrity_level
     Processes.process_name Processes.process_path Processes.user
     Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_network_share_interaction_via_net_filter`

Author

Dean Luxton

Created

2026-03-24

Data Sources

Sysmon EventID 1Windows Event Log Security 4688CrowdStrike ProcessRollup2

References

https://attack.mitre.org/techniques/T1135/

Tags

Active Directory DiscoveryActive Directory Privilege EscalationNetwork Discovery

Raw Content

name: Windows Network Share Interaction Via Net
id: e51fbdb0-0be0-474f-92ea-d289f71a695e
version: 6
date: '2026-03-24'
author: Dean Luxton
status: production
type: Hunting
data_source:
    - Sysmon EventID 1
    - Windows Event Log Security 4688
    - CrowdStrike ProcessRollup2
description: The following analytic identifies network share discovery and collection activities performed on Windows systems using the Net command. Attackers often use network share discovery to identify accessible shared resources within a network, which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection activities.
search: |-
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
      WHERE (
            `process_net`
            OR
            (Processes.process_name="net.exe"
            OR
            Processes.original_file_name="net.exe")
        )
        AND Processes.process IN ("*use *", "*view*")
      BY Processes.action Processes.dest Processes.original_file_name
         Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
         Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
         Processes.process Processes.process_exec Processes.process_guid
         Processes.process_hash Processes.process_id Processes.process_integrity_level
         Processes.process_name Processes.process_path Processes.user
         Processes.user_id Processes.vendor_product
    | `drop_dm_object_name(Processes)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_network_share_interaction_via_net_filter`
how_to_implement: The detection is based on data originating from either Endpoint Detection and Response (EDR) telemetry or EventCode 4688 with process command line logging enabled. These sources provide security-related telemetry from the endpoints. To implement this search, you must ingest logs that contain the process name, parent process, and complete command-line executions. These logs must be mapped to the Splunk Common Information Model (CIM) to normalize the field names capture the data within the datamodel schema.
known_false_positives: Administrators or power users may use this command. Additional filters needs to be applied.
references:
    - https://attack.mitre.org/techniques/T1135/
tags:
    analytic_story:
        - Active Directory Discovery
        - Active Directory Privilege Escalation
        - Network Discovery
    asset_type: Endpoint
    atomic_guid:
        - ab39a04f-0c93-4540-9ff2-83f862c385ae
    mitre_attack_id:
        - T1135
        - T1039
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog