Mounting Hidden Shares¶
Identifies enumeration of mounted shares with the built-in Windows tool net.exe.
| id: | 9b3dd402-891c-4c4d-a662-28947168ce61 |
|---|---|
| categories: | detect |
| confidence: | low |
| os: | windows |
| created: | 11/30/2018 |
| updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
| tactics: | Lateral Movement |
|---|---|
| techniques: | T1077 Windows Admin Shares |
Query¶
process where subtype.create and
(process_name == "net.exe" or (process_name == "net1.exe" and parent_process_name != "net.exe")) and
(command_line == "* use" or command_line == "* use *") and
// since this command is looking for discovery only, we want to ignore mounting shares
command_line == "* \\\\*"
| unique parent_process_path, command_line, user_name