Enumeration of Local Shares

Identifies enumeration of local shares with the built-in Windows tool net.exe.

id:bc1944cd-97fc-4b9a-b068-46203b6bbcde categories:detect confidence:low os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Discovery techniques:T1135 Network Share Discovery

Query

process where subtype.create and
  (process_name == "net.exe" or (process_name == "net1.exe" and parent_process_name != "net.exe")) and
  command_line == "* share*" and command_line != "* * *"

Contributors

• Endgame