Windows Share Mount Via Net.EXE
Detects when a share is mounted using the "net.exe" utility
Sigma rule (View on GitHub)
1title: Windows Share Mount Via Net.EXE
2id: f117933c-980c-4f78-b384-e3d838111165
3related:
4 - id: 3abd6094-7027-475f-9630-8ab9be7b9725
5 type: similar
6status: test
7description: Detects when a share is mounted using the "net.exe" utility
8references:
9 - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-02-02
12modified: 2023-02-21
13tags:
14 - attack.lateral-movement
15 - attack.t1021.002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith:
22 - '\net.exe'
23 - '\net1.exe'
24 - OriginalFileName:
25 - 'net.exe'
26 - 'net1.exe'
27 selection_cli:
28 CommandLine|contains:
29 - ' use '
30 - ' \\\\'
31 condition: all of selection_*
32falsepositives:
33 - Legitimate activity by administrators and scripts
34level: low
References
Related rules
- Access To ADMIN$ Network Share
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Copy From Or To Admin Share Or Sysvol Folder
- DCERPC SMB Spoolss Named Pipe