Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowstable

Share And Session Enumeration Using Net.EXE

Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Endgame, JHasenbusch (ported for oscd.community)Created Tue Oct 30Updated Tue Feb 2162510e69-616b-4078-b371-847da438cc03windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains: 'view'
    filter:
        CommandLine|contains: '\\\\'
    condition: all of selection_* and not filter
False Positives

Legitimate use of net.exe utility by legitimate user

References
1
Resolving title…
eqllib.readthedocs.io
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
62510e69-616b-4078-b371-847da438cc03
Status
stable
Level
low
Type
Detection
Created
Tue Oct 30
Modified
Tue Feb 21
Author
Endgame, JHasenbusch (ported for oscd.community)
Path
rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml
Raw Tags
attack.discoveryattack.t1018
View on GitHub