Mounting Hidden or WebDav Remote Shares
Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/02"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or
13preparation for data exfiltration.
14"""
15from = "now-9m"
16index = [
17 "logs-endpoint.events.process-*",
18 "winlogbeat-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Mounting Hidden or WebDav Remote Shares"
30risk_score = 47
31rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14"
32severity = "medium"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Initial Access",
38 "Tactic: Lateral Movement",
39 "Data Source: Elastic Endgame",
40 "Data Source: Elastic Defend",
41 "Data Source: System",
42 "Data Source: Microsoft Defender for Endpoint",
43 "Data Source: Sysmon",
44 "Data Source: SentinelOne",
45 "Data Source: Crowdstrike",
46 "Resources: Investigation Guide",
47]
48timestamp_override = "event.ingested"
49type = "eql"
50
51query = '''
52process where host.os.type == "windows" and event.type == "start" and
53 ((process.name : "net.exe" or ?process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or ?process.pe.original_file_name == "net1.exe") and
54 not process.parent.name : "net.exe")) and
55 process.args : "use" and
56 /* including hidden and webdav based online shares such as onedrive */
57 process.args : ("\\\\*\\*$*", "\\\\*@SSL\\*", "http*") and
58 /* excluding shares deletion operation */
59 not process.args : "/d*"
60'''
61note = """## Triage and analysis
62
63> **Disclaimer**:
64> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
65
66### Investigating Mounting Hidden or WebDav Remote Shares
67
68WebDav and hidden remote shares facilitate file sharing and collaboration across networks, often used in enterprise environments. Adversaries exploit these to move laterally or exfiltrate data by mounting shares using tools like net.exe. The detection rule identifies suspicious share mounts by monitoring specific command patterns, excluding benign operations, to flag potential threats.
69
70### Possible investigation steps
71
72- Review the process details to confirm the use of net.exe or net1.exe for mounting shares, focusing on the process.name and process.pe.original_file_name fields.
73- Examine the process.args field to identify the specific share being accessed, noting any patterns like "\\\\\\\\*\\\\*$*", "\\\\\\\\*@SSL\\\\*", or "http*" that indicate hidden or WebDav shares.
74- Check the parent process information to determine if net1.exe was executed independently or as a child of another suspicious process, which could suggest malicious intent.
75- Investigate the user account associated with the process to verify if the activity aligns with their typical behavior or if it appears anomalous.
76- Correlate the event with other logs or alerts from the same host or user to identify any patterns of lateral movement or data exfiltration attempts.
77- Assess the network activity around the time of the alert to detect any unusual outbound connections that might indicate data exfiltration.
78
79### False positive analysis
80
81- Legitimate use of net.exe for mounting network drives in enterprise environments can trigger false positives. Users can create exceptions for known internal IP addresses or specific user accounts frequently performing these actions.
82- Automated scripts or system processes that use net.exe to connect to WebDav or hidden shares for legitimate purposes may be flagged. Identify these scripts and processes, and exclude them by their process hash or command line patterns.
83- Regular operations involving OneDrive or other cloud-based services might be misidentified as suspicious. Exclude these by specifying known service URLs or domains in the detection rule.
84- Administrative tasks involving network share management can be mistaken for threats. Document and exclude these tasks by correlating them with scheduled maintenance windows or specific admin user accounts.
85
86### Response and remediation
87
88- Immediately isolate the affected system from the network to prevent further lateral movement or data exfiltration.
89- Terminate any suspicious processes related to net.exe or net1.exe that are actively mounting hidden or WebDav shares.
90- Conduct a thorough review of recent file access and transfer logs to identify any unauthorized data access or exfiltration attempts.
91- Change credentials for any accounts that were used in the suspicious activity to prevent further unauthorized access.
92- Implement network segmentation to limit access to critical systems and sensitive data, reducing the risk of lateral movement.
93- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
94- Enhance monitoring and alerting for similar activities by ensuring that all relevant security tools are configured to detect and alert on suspicious use of net.exe and net1.exe."""
95
96
97[[rule.threat]]
98framework = "MITRE ATT&CK"
99[[rule.threat.technique]]
100id = "T1021"
101name = "Remote Services"
102reference = "https://attack.mitre.org/techniques/T1021/"
103[[rule.threat.technique.subtechnique]]
104id = "T1021.002"
105name = "SMB/Windows Admin Shares"
106reference = "https://attack.mitre.org/techniques/T1021/002/"
107
108
109
110[rule.threat.tactic]
111id = "TA0008"
112name = "Lateral Movement"
113reference = "https://attack.mitre.org/tactics/TA0008/"
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1078"
118name = "Valid Accounts"
119reference = "https://attack.mitre.org/techniques/T1078/"
120[[rule.threat.technique.subtechnique]]
121id = "T1078.003"
122name = "Local Accounts"
123reference = "https://attack.mitre.org/techniques/T1078/003/"
124
125
126
127[rule.threat.tactic]
128id = "TA0001"
129name = "Initial Access"
130reference = "https://attack.mitre.org/tactics/TA0001/"
131[[rule.threat]]
132framework = "MITRE ATT&CK"
133[[rule.threat.technique]]
134id = "T1087"
135name = "Account Discovery"
136reference = "https://attack.mitre.org/techniques/T1087/"
137[[rule.threat.technique.subtechnique]]
138id = "T1087.001"
139name = "Local Account"
140reference = "https://attack.mitre.org/techniques/T1087/001/"
141
142[[rule.threat.technique.subtechnique]]
143id = "T1087.002"
144name = "Domain Account"
145reference = "https://attack.mitre.org/techniques/T1087/002/"
146
147
148
149[rule.threat.tactic]
150id = "TA0007"
151name = "Discovery"
152reference = "https://attack.mitre.org/tactics/TA0007/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Mounting Hidden or WebDav Remote Shares
WebDav and hidden remote shares facilitate file sharing and collaboration across networks, often used in enterprise environments. Adversaries exploit these to move laterally or exfiltrate data by mounting shares using tools like net.exe. The detection rule identifies suspicious share mounts by monitoring specific command patterns, excluding benign operations, to flag potential threats.
Possible investigation steps
- Review the process details to confirm the use of net.exe or net1.exe for mounting shares, focusing on the process.name and process.pe.original_file_name fields.
- Examine the process.args field to identify the specific share being accessed, noting any patterns like "\\\$", "\\@SSL\", or "http" that indicate hidden or WebDav shares.
- Check the parent process information to determine if net1.exe was executed independently or as a child of another suspicious process, which could suggest malicious intent.
- Investigate the user account associated with the process to verify if the activity aligns with their typical behavior or if it appears anomalous.
- Correlate the event with other logs or alerts from the same host or user to identify any patterns of lateral movement or data exfiltration attempts.
- Assess the network activity around the time of the alert to detect any unusual outbound connections that might indicate data exfiltration.
False positive analysis
- Legitimate use of net.exe for mounting network drives in enterprise environments can trigger false positives. Users can create exceptions for known internal IP addresses or specific user accounts frequently performing these actions.
- Automated scripts or system processes that use net.exe to connect to WebDav or hidden shares for legitimate purposes may be flagged. Identify these scripts and processes, and exclude them by their process hash or command line patterns.
- Regular operations involving OneDrive or other cloud-based services might be misidentified as suspicious. Exclude these by specifying known service URLs or domains in the detection rule.
- Administrative tasks involving network share management can be mistaken for threats. Document and exclude these tasks by correlating them with scheduled maintenance windows or specific admin user accounts.
Response and remediation
- Immediately isolate the affected system from the network to prevent further lateral movement or data exfiltration.
- Terminate any suspicious processes related to net.exe or net1.exe that are actively mounting hidden or WebDav shares.
- Conduct a thorough review of recent file access and transfer logs to identify any unauthorized data access or exfiltration attempts.
- Change credentials for any accounts that were used in the suspicious activity to prevent further unauthorized access.
- Implement network segmentation to limit access to critical systems and sensitive data, reducing the risk of lateral movement.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
- Enhance monitoring and alerting for similar activities by ensuring that all relevant security tools are configured to detect and alert on suspicious use of net.exe and net1.exe.
Related rules
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Command Execution via SolarWinds Process
- Execution via TSClient Mountpoint
- Potential Foxmail Exploitation
- Potential WSUS Abuse for Lateral Movement