Password Provided In Command Line Of Net.EXE

calendar Aug 12, 2024 · attack.defense-evasion attack.initial-access attack.persistence attack.privilege-escalation attack.lateral-movement attack.t1021.002 attack.t1078  ·
Share on: linkedin copy

Detects a when net.exe is called with a password in the command line

Sigma rule (View on GitHub)

 1title: Password Provided In Command Line Of Net.EXE
 2id: d4498716-1d52-438f-8084-4a603157d131
 3status: test
 4description: Detects a when net.exe is called with a password in the command line
 5references:
 6    - Internal Research
 7author: Tim Shelton (HAWK.IO)
 8date: 2021-12-09
 9modified: 2023-02-21
10tags:
11    - attack.defense-evasion
12    - attack.initial-access
13    - attack.persistence
14    - attack.privilege-escalation
15    - attack.lateral-movement
16    - attack.t1021.002
17    - attack.t1078
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith:
24              - '\net.exe'
25              - '\net1.exe'
26        - OriginalFileName:
27              - 'net.exe'
28              - 'net1.exe'
29    selection_cli:
30        CommandLine|contains|all:
31            - ' use '
32            - ':*\\'
33            - '/USER:* *'
34    filter_main_empty:
35        CommandLine|endswith: ' '
36    condition: all of selection_* and not 1 of filter_main_*
37falsepositives:
38    - Unknown
39level: medium

References

Related rules

to-top