From ae34e020c2ddae99a332b00ce08d539ea396fdbd Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Thu, 9 Dec 2021 20:33:37 +0000
Subject: [PATCH] Adding new sig to detect password on commandline

---
 .../win_susp_net_use_password_plaintext.yml   | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_net_use_password_plaintext.yml

diff --git a/rules/windows/process_creation/win_susp_net_use_password_plaintext.yml b/rules/windows/process_creation/win_susp_net_use_password_plaintext.yml
new file mode 100644
index 000000000..308c779fd
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_net_use_password_plaintext.yml
@@ -0,0 +1,21 @@
+title: Password provided in command line of net.exe
+id: d4498716-1d52-438f-8084-4a603157d131
+status: experimental
+description: Detects a when net.exe is called with a password in the command line
+references:
+    - Internal Research
+author: Tim Shelton (HAWK.IO)
+date: 2021/12/09
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: C:\Windows\System32\net.exe
+    selection_special:
+        - Image|re:
+            - 'net.*use [a-zA-]\:\s+\\\\[^\s]+\s+\/USER:\s*[^\s]+\s+([^\s]+)'
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: high