Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

System Network Connections Discovery Via Net.EXE

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Fri Dec 10Updated Tue Feb 211c67a717-32ba-409b-a45d-0fb704a73a81windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        - CommandLine|endswith:
              - ' use'
              - ' sessions'
        - CommandLine|contains:
              - ' use '
              - ' sessions '
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
1c67a717-32ba-409b-a45d-0fb704a73a81
Status
test
Level
low
Type
Detection
Created
Fri Dec 10
Modified
Tue Feb 21
Author
François Hubaut
Path
rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml
Raw Tags
attack.discoveryattack.t1049
View on GitHub