Share And Session Enumeration Using Net.EXE

Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.

Sigma rule (View on GitHub)

 1title: Share And Session Enumeration Using Net.EXE
 2id: 62510e69-616b-4078-b371-847da438cc03
 3status: stable
 4description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
 5references:
 6    - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
 8author: Endgame, JHasenbusch (ported for oscd.community)
 9date: 2018-10-30
10modified: 2023-02-21
11tags:
12    - attack.discovery
13    - attack.t1018
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith:
20              - '\net.exe'
21              - '\net1.exe'
22        - OriginalFileName:
23              - 'net.exe'
24              - 'net1.exe'
25    selection_cli:
26        CommandLine|contains: 'view'
27    filter:
28        CommandLine|contains: '\\\\'
29    condition: all of selection_* and not filter
30fields:
31    - ComputerName
32    - User
33    - CommandLine
34falsepositives:
35    - Legitimate use of net.exe utility by legitimate user
36level: low

References

Related rules

to-top