Mounting Windows Hidden Shares with net.exe¶
Identifies hidden Windows Admin Network shares
| id: | 8e7c9bce-565b-4ee1-bb70-37dc61afc8d0 |
|---|---|
| categories: | hunt |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Lateral Movement |
|---|---|
| techniques: | T1077 Windows Admin Shares |
Query¶
process where subtype.create and
(process_name == "net.exe" or (process_name == "net1.exe" and parent_process_name != "net.exe")) and
(command_line == "* use \\\\*\\*$*" or command_line == "* use \\\\*/*$*")