Mounting Hidden or WebDav Remote Shares

  1[metadata]
  2creation_date = "2020/11/02"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or
 11preparation for data exfiltration.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Mounting Hidden or WebDav Remote Shares"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating Mounting Hidden or WebDav Remote Shares
 34
 35WebDav and hidden remote shares facilitate file sharing and collaboration across networks, often used in enterprise environments. Adversaries exploit these to move laterally or exfiltrate data by mounting shares using tools like net.exe. The detection rule identifies suspicious share mounts by monitoring specific command patterns, excluding benign operations, to flag potential threats.
 36
 37### Possible investigation steps
 38
 39- Review the process details to confirm the use of net.exe or net1.exe for mounting shares, focusing on the process.name and process.pe.original_file_name fields.
 40- Examine the process.args field to identify the specific share being accessed, noting any patterns like "\\\\\\\\*\\\\*$*", "\\\\\\\\*@SSL\\\\*", or "http*" that indicate hidden or WebDav shares.
 41- Check the parent process information to determine if net1.exe was executed independently or as a child of another suspicious process, which could suggest malicious intent.
 42- Investigate the user account associated with the process to verify if the activity aligns with their typical behavior or if it appears anomalous.
 43- Correlate the event with other logs or alerts from the same host or user to identify any patterns of lateral movement or data exfiltration attempts.
 44- Assess the network activity around the time of the alert to detect any unusual outbound connections that might indicate data exfiltration.
 45
 46### False positive analysis
 47
 48- Legitimate use of net.exe for mounting network drives in enterprise environments can trigger false positives. Users can create exceptions for known internal IP addresses or specific user accounts frequently performing these actions.
 49- Automated scripts or system processes that use net.exe to connect to WebDav or hidden shares for legitimate purposes may be flagged. Identify these scripts and processes, and exclude them by their process hash or command line patterns.
 50- Regular operations involving OneDrive or other cloud-based services might be misidentified as suspicious. Exclude these by specifying known service URLs or domains in the detection rule.
 51- Administrative tasks involving network share management can be mistaken for threats. Document and exclude these tasks by correlating them with scheduled maintenance windows or specific admin user accounts.
 52
 53### Response and remediation
 54
 55- Immediately isolate the affected system from the network to prevent further lateral movement or data exfiltration.
 56- Terminate any suspicious processes related to net.exe or net1.exe that are actively mounting hidden or WebDav shares.
 57- Conduct a thorough review of recent file access and transfer logs to identify any unauthorized data access or exfiltration attempts.
 58- Change credentials for any accounts that were used in the suspicious activity to prevent further unauthorized access.
 59- Implement network segmentation to limit access to critical systems and sensitive data, reducing the risk of lateral movement.
 60- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
 61- Enhance monitoring and alerting for similar activities by ensuring that all relevant security tools are configured to detect and alert on suspicious use of net.exe and net1.exe."""
 62risk_score = 47
 63rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14"
 64severity = "medium"
 65tags = [
 66    "Domain: Endpoint",
 67    "OS: Windows",
 68    "Use Case: Threat Detection",
 69    "Tactic: Initial Access",
 70    "Tactic: Lateral Movement",
 71    "Data Source: Elastic Endgame",
 72    "Data Source: Elastic Defend",
 73    "Data Source: Windows Security Event Logs",
 74    "Data Source: Microsoft Defender for Endpoint",
 75    "Data Source: Sysmon",
 76    "Data Source: SentinelOne",
 77    "Data Source: Crowdstrike",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "eql"
 82
 83query = '''
 84process where host.os.type == "windows" and event.type == "start" and
 85 ((process.name : "net.exe" or ?process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or ?process.pe.original_file_name == "net1.exe") and
 86 not process.parent.name : "net.exe")) and
 87 process.args : "use" and
 88 /* including hidden and webdav based online shares such as onedrive  */
 89 process.args : ("\\\\*\\*$*", "\\\\*@SSL\\*", "http*") and
 90 /* excluding shares deletion operation */
 91 not process.args : "/d*"
 92'''
 93
 94
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1021"
 99name = "Remote Services"
100reference = "https://attack.mitre.org/techniques/T1021/"
101[[rule.threat.technique.subtechnique]]
102id = "T1021.002"
103name = "SMB/Windows Admin Shares"
104reference = "https://attack.mitre.org/techniques/T1021/002/"
105
106
107
108[rule.threat.tactic]
109id = "TA0008"
110name = "Lateral Movement"
111reference = "https://attack.mitre.org/tactics/TA0008/"
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114[[rule.threat.technique]]
115id = "T1078"
116name = "Valid Accounts"
117reference = "https://attack.mitre.org/techniques/T1078/"
118[[rule.threat.technique.subtechnique]]
119id = "T1078.003"
120name = "Local Accounts"
121reference = "https://attack.mitre.org/techniques/T1078/003/"
122
123
124
125[rule.threat.tactic]
126id = "TA0001"
127name = "Initial Access"
128reference = "https://attack.mitre.org/tactics/TA0001/"
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131[[rule.threat.technique]]
132id = "T1087"
133name = "Account Discovery"
134reference = "https://attack.mitre.org/techniques/T1087/"
135[[rule.threat.technique.subtechnique]]
136id = "T1087.001"
137name = "Local Account"
138reference = "https://attack.mitre.org/techniques/T1087/001/"
139
140[[rule.threat.technique.subtechnique]]
141id = "T1087.002"
142name = "Domain Account"
143reference = "https://attack.mitre.org/techniques/T1087/002/"
144
145
146
147[rule.threat.tactic]
148id = "TA0007"
149name = "Discovery"
150reference = "https://attack.mitre.org/tactics/TA0007/"