Sigma rules for Net
14 rules · scoped to tool · back to Net
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Manipulation Of Default Accounts Via Net.EXE
id: 5b768e71-86f2-4879-b448-81061cbae951
status: test
description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
references:
- https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2023-02-21
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_user_option:
CommandLine|contains: ' user '
selection_username:
CommandLine|contains:
# Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag
- ' Järjestelmänvalvoja ' # Finish
- ' Rendszergazda ' # Hungarian
- ' Администратор ' # Russian
- ' Administrateur ' # French
- ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish
- ' Administratör ' # Swedish
- ' Administrator ' # English
- ' guest '
- ' DefaultAccount '
# The cases below are for when an attacker requests the net command via 'cmd /c....'
# First in double quotes
- ' "Järjestelmänvalvoja" ' # Finish
- ' "Rendszergazda" ' # Hungarian
- ' "Администратор" ' # Russian
- ' "Administrateur" ' # French
- ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish
- ' "Administratör" ' # Swedish
- ' "Administrator" ' # English
- ' "guest" '
- ' "DefaultAccount" '
# Second in single quotes
- " 'Järjestelmänvalvoja' " # Finish
- " 'Rendszergazda' " # Hungarian
- " 'Администратор' " # Russian
- " 'Administrateur' " # French
- " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish
- " 'Administratör' " # Swedish
- " 'Administrator' " # English
- " 'guest' "
- " 'DefaultAccount' "
filter:
CommandLine|contains|all:
- 'guest'
- '/active no'
condition: all of selection_* and not filter
falsepositives:
- Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium
level: high
title: Windows Internet Hosted WebDav Share Mount Via Net.EXE
id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0
status: test
description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-21
modified: 2023-07-25
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ' http'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: New User Created Via Net.EXE With Never Expire Option
id: b9f0e6f5-09b4-4358-bae4-08408705bd5c
related:
- id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
type: derived
status: test
description: Detects creation of local users via the net.exe command with the option "never expire"
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2023-02-21
tags:
- attack.persistence
- attack.t1136.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- 'user'
- 'add'
- 'expires:never'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
status: test
description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/
- https://twitter.com/_felamos/status/1204705548668555264
- https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
author: Beyu Denis, oscd.community
date: 2020-10-18
modified: 2025-10-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dotnet.exe'
- OriginalFileName: '.NET Host'
selection_cli:
CommandLine|endswith:
- '.csproj'
- '.csproj"'
- '.dll'
- '.dll"'
- ".csproj'"
- ".dll'"
filter_optional_notepadplus_plus:
ParentImage:
- 'C:\Program Files (x86)\Notepad++\notepad++.exe'
- 'C:\Program Files\Notepad++\notepad++.exe'
CommandLine|contains|all:
- 'C:\ProgramData\CSScriptNpp\'
- '-cscs_path:'
- '\cs-script\cscs.dll'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administrator usage
level: medium
title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
status: test
description: |
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
references:
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-03-02
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
# Covers group and localgroup flags
selection_group_root:
CommandLine|contains:
- ' group '
- ' localgroup '
selection_group_flags:
CommandLine|contains:
# Add more groups for other languages
- 'domain admins'
- ' administrator' # Typo without an 'S' so we catch both
- ' administrateur' # Typo without an 'S' so we catch both
- 'enterprise admins'
- 'Exchange Trusted Subsystem'
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
- ' /do' # short for domain
filter_group_add:
# This filter is added to avoid the potential case where the point is not recon but addition
CommandLine|contains: ' /add'
# Covers 'accounts' flag
selection_accounts_root:
CommandLine|contains: ' accounts '
selection_accounts_flags:
CommandLine|contains: ' /do' # short for domain
condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)
falsepositives:
- Inventory tool runs
- Administrative activity
level: medium
title: New User Created Via Net.EXE
id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
related:
- id: b9f0e6f5-09b4-4358-bae4-08408705bd5c
type: similar
status: test
description: Identifies the creation of local users via the net.exe command.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
date: 2018-10-30
modified: 2023-02-21
tags:
- attack.persistence
- attack.t1136.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- 'user'
- 'add'
condition: all of selection_*
falsepositives:
- Legitimate user creation.
- Better use event IDs for user creation rather than command line rules.
level: medium
title: Windows Admin Share Mount Via Net.EXE
id: 3abd6094-7027-475f-9630-8ab9be7b9725
related:
- id: f117933c-980c-4f78-b384-e3d838111165
type: similar
status: test
description: Detects when an admin share is mounted using net.exe
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga
date: 2020-10-05
modified: 2023-02-21
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ' \\\\*\\*$'
condition: all of selection_*
falsepositives:
- Administrators
level: medium
title: Password Provided In Command Line Of Net.EXE
id: d4498716-1d52-438f-8084-4a603157d131
status: test
description: Detects a when net.exe is called with a password in the command line
references:
- Internal Research
author: Tim Shelton (HAWK.IO)
date: 2021-12-09
modified: 2023-02-21
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.lateral-movement
- attack.stealth
- attack.t1021.002
- attack.t1078
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ':*\\'
- '/USER:* *'
filter_main_empty:
CommandLine|endswith: ' '
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: System Network Connections Discovery Via Net.EXE
id: 1c67a717-32ba-409b-a45d-0fb704a73a81
status: test
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
author: frack113
date: 2021-12-10
modified: 2023-02-21
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
- CommandLine|endswith:
- ' use'
- ' sessions'
- CommandLine|contains:
- ' use '
- ' sessions '
condition: all of selection_*
falsepositives:
- Unknown
level: low
title: Windows Share Mount Via Net.EXE
id: f117933c-980c-4f78-b384-e3d838111165
related:
- id: 3abd6094-7027-475f-9630-8ab9be7b9725
type: similar
status: test
description: Detects when a share is mounted using the "net.exe" utility
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-02
modified: 2023-02-21
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains:
- ' use '
- ' \\\\'
condition: all of selection_*
falsepositives:
- Legitimate activity by administrators and scripts
level: low
title: Start Windows Service Via Net.EXE
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
status: test
description: Detects the usage of the "net.exe" command to start a service using the "start" flag
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019-10-21
modified: 2023-03-05
tags:
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
condition: all of selection_*
falsepositives:
- Legitimate administrator or user executes a service for legitimate reasons.
level: low
title: Unmount Share Via Net.EXE
id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
status: test
description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020-10-08
modified: 2023-02-21
tags:
- attack.stealth
- attack.t1070.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- 'share'
- '/delete'
condition: all of selection*
falsepositives:
- Administrators or Power users may remove their shares via cmd line
level: low
title: Share And Session Enumeration Using Net.EXE
id: 62510e69-616b-4078-b371-847da438cc03
status: stable
description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Endgame, JHasenbusch (ported for oscd.community)
date: 2018-10-30
modified: 2023-02-21
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains: 'view'
filter:
CommandLine|contains: '\\\\'
condition: all of selection_* and not filter
falsepositives:
- Legitimate use of net.exe utility by legitimate user
level: low
title: Stop Windows Service Via Net.EXE
id: 88872991-7445-4a22-90b2-a3adadb0e827
related:
- id: eb87818d-db5d-49cc-a987-d5da331fbd90
type: obsolete
status: test
description: Detects the stopping of a Windows service via the "net" utility.
references:
- https://ss64.com/nt/net-service.html
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
- Image|endswith:
- '\net.exe'
- '\net1.exe'
selection_cli:
CommandLine|contains: ' stop '
condition: all of selection_*
falsepositives:
- There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
level: low