Detection rules › Sigma
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1087.001 Account Discovery: Local Account, T1087.002 Account Discovery: Domain Account |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: selection_img
or:
Image|endswith: '\net.exe'
Image|endswith: '\net1.exe'
OriginalFileName: net.exe
OriginalFileName: net1.exe
Stage 2: all of selection_group_root
or:
CommandLine|contains: ' group '
CommandLine|contains: ' localgroup '
Stage 3: all of selection_group_flags
or:
CommandLine|contains: ' /do'
CommandLine|contains: ' administrateur'
CommandLine|contains: ' administrator'
CommandLine|contains: 'Exchange Trusted Subsystem'
CommandLine|contains: 'Remote Desktop Users'
CommandLine|contains: 'Usuarios de escritorio remoto'
CommandLine|contains: 'Utilisateurs du Bureau à distance'
CommandLine|contains: 'domain admins'
CommandLine|contains: 'enterprise admins'
Stage 4: not filter_group_add
CommandLine|contains: ' /add'
Stage 5: all of selection_accounts_root
CommandLine|contains: ' accounts '
Stage 6: all of selection_accounts_flags
CommandLine|contains: ' /do'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|