rules/windows/sysmon/sysmon_susp_net_execution.yml

title: Net.exe execution
status: experimental
description: Detects execution of Net.exe, whether suspicious or benign.
reference: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
author: Michael Haag
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        Image:
            - '*\net.exe'
        CommandLine:
            - 'net group*'
            - 'net localgroup*'
            - 'net user*'
            - 'net view*'
            - 'net share'
            - 'net accounts*'
            - 'net use*'
    condition: selection
falsepositives:
    - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.
level: medium
net.exe and wmic.exe 2017-03-25 06:48:23 -07:00			`title: Net.exe execution`
			`status: experimental`
			`description: Detects execution of Net.exe, whether suspicious or benign.`
			`reference: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/`
			`author: Michael Haag`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 1`
			`Image:`
			`- '*\net.exe'`
			`CommandLine:`
			`- 'net group*'`
			`- 'net localgroup*'`
			`- 'net user*'`
			`- 'net view*'`
			`- 'net share'`
			`- 'net accounts*'`
			`- 'net use*'`
			`condition: selection`
			`falsepositives:`
			`- Will need to be tuned. If using Splunk, I recommend \| stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.`
			`level: medium`