Mounting Hidden Shares

Identifies enumeration of mounted shares with the builtin Windows tool net.exe.

id:9b3dd402-891c-4c4d-a662-28947168ce61
categories:detect
confidence:low
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Lateral Movement
techniques:T1077 Windows Admin Shares

Query

process where subtype.create and
  (process_name == "net.exe" or (process_name == "net1.exe" and parent_process_name != "net.exe")) and
  (command_line == "* use" or command_line == "* use *") and

  // since this command is looking for discovery only, we want to ignore mounting shares
  command_line == "* \\\\*"
| unique parent_process_path, command_line, user_name

Contributors