Suspicious Group And Account Reconnaissance Activity Using Net.EXE

 1title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
 2id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
 3status: test
 4description: |
 5    Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
 6    Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)    
 7references:
 8    - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
 9    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
10    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
11author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
12date: 2019/01/16
13modified: 2023/03/02
14tags:
15    - attack.discovery
16    - attack.t1087.001
17    - attack.t1087.002
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith:
24              - '\net.exe'
25              - '\net1.exe'
26        - OriginalFileName:
27              - 'net.exe'
28              - 'net1.exe'
29    # Covers group and localgroup flags
30    selection_group_root:
31        CommandLine|contains:
32            - ' group '
33            - ' localgroup '
34    selection_group_flags:
35        CommandLine|contains:
36            # Add more groups for other languages
37            - 'domain admins'
38            - ' administrator' # Typo without an 'S' so we catch both
39            - ' administrateur' # Typo without an 'S' so we catch both
40            - 'enterprise admins'
41            - 'Exchange Trusted Subsystem'
42            - 'Remote Desktop Users'
43            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
44            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
45            - ' /do' # short for domain
46    filter_group_add:
47        # This filter is added to avoid the potential case where the point is not recon but addition
48        CommandLine|contains: ' /add'
49    # Covers 'accounts' flag
50    selection_accounts_root:
51        CommandLine|contains: ' accounts '
52    selection_accounts_flags:
53        CommandLine|contains: ' /do' # short for domain
54    condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)
55falsepositives:
56    - Inventory tool runs
57    - Administrative activity
58level: medium

References

• A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak

  

  We recently helped stop a Ryuk ransomware infection at a hospital. Here are the ten behaviors we detected to prevent this threat.

  
  Read More

• Ryuk in 5 Hours - The DFIR Report

  

  Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More

  
  Read More

• Back in Black: Unlocking a LockBit 3.0 Ransomware Attack

  

  This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement.

  
  Read More

Related rules

• BloodHound Collection Files
• Malicious PowerShell Commandlets - PoshModule
• Malicious PowerShell Commandlets - ProcessCreation
• Malicious PowerShell Commandlets - ScriptBlock
• HackTool - Bloodhound/Sharphound Execution