title: Net.exe execution
status: experimental
description: Detects execution of Net.exe, whether suspicious or benign.
reference: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
author: Michael Haag
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        Image:
            - '*\net.exe'
        CommandLine:
            - 'net group*'
            - 'net localgroup*'
            - 'net user*'
            - 'net view*'
            - 'net share'
            - 'net accounts*'
            - 'net use*'
    condition: selection
falsepositives:
    - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.
level: medium