Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE

Sigma rule (View on GitHub)

 1title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
 2id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
 3status: test
 4description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
 5references:
 6    - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
 7    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
 8    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
 9author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
10date: 2019/01/16
11modified: 2023/03/02
12tags:
13    - attack.discovery
14    - attack.t1087.001
15    - attack.t1087.002
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith:
22              - '\net.exe'
23              - '\net1.exe'
24        - OriginalFileName:
25              - 'net.exe'
26              - 'net1.exe'
27    # Covers group and localgroup flags
28    selection_group_root:
29        CommandLine|contains:
30            - ' group '
31            - ' localgroup '
32    selection_group_flags:
33        CommandLine|contains:
34            # Add more groups for other languages
35            - 'domain admins'
36            - ' administrator' # Typo without an 'S' so we catch both
37            - ' administrateur' # Typo without an 'S' so we catch both
38            - 'enterprise admins'
39            - 'Exchange Trusted Subsystem'
40            - 'Remote Desktop Users'
41            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
42            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
43            - ' /do' # short for domain
44    filter_group_add:
45        # This filter is added to avoid the potential case where the point is not recon but addition
46        CommandLine|contains: ' /add'
47    # Covers 'accounts' flag
48    selection_accounts_root:
49        CommandLine|contains: ' accounts '
50    selection_accounts_flags:
51        CommandLine|contains: ' /do' # short for domain
52    condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)
53fields:
54    - CommandLine
55    - ParentCommandLine
56falsepositives:
57    - Inventory tool runs
58    - Administrative activity
59level: medium
60analysis:
61    recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)

References

Related rules

to-top