Windows Admin Share Mount Via Net.EXE
Detects when an admin share is mounted using net.exe
Sigma rule (View on GitHub)
1title: Windows Admin Share Mount Via Net.EXE
2id: 3abd6094-7027-475f-9630-8ab9be7b9725
3related:
4 - id: f117933c-980c-4f78-b384-e3d838111165
5 type: similar
6status: test
7description: Detects when an admin share is mounted using net.exe
8references:
9 - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
10author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga
11date: 2020-10-05
12modified: 2023-02-21
13tags:
14 - attack.lateral-movement
15 - attack.t1021.002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith:
22 - '\net.exe'
23 - '\net1.exe'
24 - OriginalFileName:
25 - 'net.exe'
26 - 'net1.exe'
27 selection_cli:
28 CommandLine|contains|all:
29 - ' use '
30 - ' \\\\*\\*$'
31 condition: all of selection_*
32falsepositives:
33 - Administrators
34level: medium
References
Related rules
- Access To ADMIN$ Network Share
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Copy From Or To Admin Share Or Sysvol Folder
- DCERPC SMB Spoolss Named Pipe