Share And Session Enumeration Using Net.EXE
Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
Sigma rule (View on GitHub)
1title: Share And Session Enumeration Using Net.EXE
2id: 62510e69-616b-4078-b371-847da438cc03
3status: stable
4description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
5references:
6 - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
8author: Endgame, JHasenbusch (ported for oscd.community)
9date: 2018/10/30
10modified: 2023/02/21
11tags:
12 - attack.discovery
13 - attack.t1018
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith:
20 - '\net.exe'
21 - '\net1.exe'
22 - OriginalFileName:
23 - 'net.exe'
24 - 'net1.exe'
25 selection_cli:
26 CommandLine|contains: 'view'
27 filter:
28 CommandLine|contains: '\\\\'
29 condition: all of selection_* and not filter
30fields:
31 - ComputerName
32 - User
33 - CommandLine
34falsepositives:
35 - Legitimate use of net.exe utility by legitimate user
36level: low
References
-
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Cisco Discovery
- Nltest.EXE Execution
- PUA - AdFind Suspicious Execution
- Linux Remote System Discovery
- Macos Remote System Discovery