Windows Admin Share Mount Via Net.EXE

calendar Oct 18, 2023 · attack.lateral_movement attack.t1021.002  ·
Share on: linkedin copy

Detects when an admin share is mounted using net.exe

Sigma rule (View on GitHub)

 1title: Windows Admin Share Mount Via Net.EXE
 2id: 3abd6094-7027-475f-9630-8ab9be7b9725
 3related:
 4    - id: f117933c-980c-4f78-b384-e3d838111165
 5      type: similar
 6status: test
 7description: Detects when an admin share is mounted using net.exe
 8references:
 9    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
10author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga
11date: 2020/10/05
12modified: 2023/02/21
13tags:
14    - attack.lateral_movement
15    - attack.t1021.002
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith:
22              - '\net.exe'
23              - '\net1.exe'
24        - OriginalFileName:
25              - 'net.exe'
26              - 'net1.exe'
27    selection_cli:
28        CommandLine|contains|all:
29            - ' use '
30            - ' \\\\*\\*$'
31    condition: all of selection_*
32falsepositives:
33    - Administrators
34level: medium

References

Related rules

to-top