Password Provided In Command Line Of Net.EXE

calendar Feb 26, 2024 · attack.defense_evasion attack.initial_access attack.persistence attack.privilege_escalation attack.lateral_movement attack.t1021.002 attack.t1078  ·
Share on: linkedin copy

Detects a when net.exe is called with a password in the command line

Sigma rule (View on GitHub)

 1title: Password Provided In Command Line Of Net.EXE
 2id: d4498716-1d52-438f-8084-4a603157d131
 3status: test
 4description: Detects a when net.exe is called with a password in the command line
 5references:
 6    - Internal Research
 7author: Tim Shelton (HAWK.IO)
 8date: 2021/12/09
 9modified: 2023/02/21
10tags:
11    - attack.defense_evasion
12    - attack.initial_access
13    - attack.persistence
14    - attack.privilege_escalation
15    - attack.lateral_movement
16    - attack.t1021.002
17    - attack.t1078
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith:
24              - '\net.exe'
25              - '\net1.exe'
26        - OriginalFileName:
27              - 'net.exe'
28              - 'net1.exe'
29    selection_cli:
30        CommandLine|contains|all:
31            - ' use '
32            - ':*\\'
33            - '/USER:* *'
34    filter_main_empty:
35        CommandLine|endswith: ' '
36    condition: all of selection_* and not 1 of filter_main_*
37falsepositives:
38    - Unknown
39level: medium

References

Related rules

to-top