Password Provided In Command Line Of Net.EXE
Detects a when net.exe is called with a password in the command line
Sigma rule (View on GitHub)
1title: Password Provided In Command Line Of Net.EXE
2id: d4498716-1d52-438f-8084-4a603157d131
3status: test
4description: Detects a when net.exe is called with a password in the command line
5references:
6 - Internal Research
7author: Tim Shelton (HAWK.IO)
8date: 2021/12/09
9modified: 2023/02/21
10tags:
11 - attack.defense_evasion
12 - attack.initial_access
13 - attack.persistence
14 - attack.privilege_escalation
15 - attack.lateral_movement
16 - attack.t1021.002
17 - attack.t1078
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith:
24 - '\net.exe'
25 - '\net1.exe'
26 - OriginalFileName:
27 - 'net.exe'
28 - 'net1.exe'
29 selection_cli:
30 CommandLine|contains|all:
31 - ' use '
32 - ':*\\'
33 - '/USER:* *'
34 filter_empty:
35 CommandLine|endswith: ' '
36 condition: all of selection_* and not 1 of filter*
37falsepositives:
38 - Unknown
39level: medium
References
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Cisco BGP Authentication Failures
- Huawei BGP Authentication Failures
- Juniper BGP Missing MD5
- Cisco LDP Authentication Failures