From c82d5ac08e6ef5a839b9d5a60dbc5052ab775a67 Mon Sep 17 00:00:00 2001
From: svch0stz <8684257+svch0stz@users.noreply.github.com>
Date: Mon, 5 Oct 2020 14:43:45 +1100
Subject: [PATCH] Create win_net_use_admin_share.yml

---
 .../builtin/win_net_use_admin_share.yml       | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules/windows/builtin/win_net_use_admin_share.yml

diff --git a/rules/windows/builtin/win_net_use_admin_share.yml b/rules/windows/builtin/win_net_use_admin_share.yml
new file mode 100644
index 000000000..2493c2fad
--- /dev/null
+++ b/rules/windows/builtin/win_net_use_admin_share.yml
@@ -0,0 +1,26 @@
+title: Mounted Windows Admin Shares with net.exe
+id: 3abd6094-7027-475f-9630-8ab9be7b9725
+status: experimental
+description: Detects when an admin share is mounted using net.exe
+references:
+    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st'
+date: 2020/10/05
+tags:
+    - attack.lateral_movement
+    - attack.T1021.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\net.exe'
+            - '\net1.exe'
+        CommandLine|contains|all:
+            - ' use '
+            - '\\\\*\*$*'
+    condition: selection
+falsepositives:
+    - Administrators
+level: medium