rules/windows/process_creation/win_susp_net_execution.yml

title: Net.exe Execution
id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
status: experimental
description: Detects execution of Net.exe, whether suspicious or benign.
references:
    - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
    - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
    - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html
    - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)
date: 2019/01/16
modified: 2020/08/30
tags:
    - attack.discovery
    - attack.t1049
    - attack.t1018
    - attack.t1135
    - attack.t1201
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1087.001
    - attack.t1087.002
    - attack.lateral_movement    
    - attack.t1021.002
    - attack.t1077      # an old one
    - attack.s0039
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image:
            - '*\net.exe'
            - '*\net1.exe'
    cmdline:
        CommandLine:
            - '* group*'
            - '* localgroup*'
            - '* user*'
            - '* view*'
            - '* share'
            - '* accounts*'
            - '* use*'
            - '* stop *'
    condition: selection and cmdline
fields:
    - ComputerName
    - User
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.
level: low
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`title: Net.exe Execution`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`status: experimental`
			`description: Detects execution of Net.exe, whether suspicious or benign.`
			`references:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/`
Update win_susp_net_execution.yml 2019-10-25 12:06:32 +11:00			`- https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html`
			`- https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html`
Update win_susp_net_execution.yml 2019-10-25 12:20:47 +11:00			`- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html`
Update win_susp_net_execution.yml 2019-10-25 12:06:32 +11:00			`author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2019/01/16`
att&ck tags review: windows/process_creation part 7 2020-08-30 19:17:38 +03:00			`modified: 2020/08/30`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`tags:`
att&ck tags review: windows/process_creation part 7 2020-08-30 19:17:38 +03:00			`- attack.discovery`
Update win_susp_net_execution.yml 2019-10-25 12:06:32 +11:00			`- attack.t1049`
att&ck tags review: windows/process_creation part 7 2020-08-30 19:17:38 +03:00			`- attack.t1018`
Update win_susp_net_execution.yml 2019-10-25 12:06:32 +11:00			`- attack.t1135`
att&ck tags review: windows/process_creation part 7 2020-08-30 19:17:38 +03:00			`- attack.t1201`
			`- attack.t1069.001`
			`- attack.t1069.002`
			`- attack.t1087.001`
			`- attack.t1087.002`
			`- attack.lateral_movement`
			`- attack.t1021.002`
			`- attack.t1077 # an old one`
			`- attack.s0039`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`logsource:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`selection:`
			`Image:`
			`- '*\net.exe'`
			`- '*\net1.exe'`
Update win_susp_net_execution.yml 2019-10-25 12:06:32 +11:00			`cmdline:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`CommandLine:`
			`- '* group*'`
			`- '* localgroup*'`
			`- '* user*'`
			`- '* view*'`
			`- '* share'`
			`- '* accounts*'`
			`- '* use*'`
Added command that stops services. 2019-06-28 19:46:34 +03:00			`- '* stop *'`
Update win_susp_net_execution.yml 2019-11-11 02:57:59 +03:00			`condition: selection and cmdline`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`fields:`
OSCD QA wave 1 2020-01-11 00:11:27 +01:00			`- ComputerName`
			`- User`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- CommandLine`
			`- ParentCommandLine`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`falsepositives:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- Will need to be tuned. If using Splunk, I recommend \| stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`level: low`