System Network Connections Discovery Via Net.EXE
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Sigma rule (View on GitHub)
1title: System Network Connections Discovery Via Net.EXE
2id: 1c67a717-32ba-409b-a45d-0fb704a73a81
3status: test
4description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
7author: frack113
8date: 2021-12-10
9modified: 2023-02-21
10tags:
11 - attack.discovery
12 - attack.t1049
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith:
19 - '\net.exe'
20 - '\net1.exe'
21 - OriginalFileName:
22 - 'net.exe'
23 - 'net1.exe'
24 selection_cli:
25 - CommandLine|endswith:
26 - ' use'
27 - ' sessions'
28 - CommandLine|contains:
29 - ' use '
30 - ' sessions '
31 condition: all of selection_*
32falsepositives:
33 - Unknown
34level: low
References
Related rules
- Cisco Discovery
- HackTool - SharpView Execution
- System Network Connections Discovery - Linux
- System Network Connections Discovery - MacOs
- Use Get-NetTCPConnection