Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), omkar72, Nasreddine Bencherchali (Nextron Systems)Created Wed Jan 16Updated Thu Mar 02d95de845-b83c-4a9a-8a6a-4fc802ebf6c0windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic6 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    # Covers group and localgroup flags
    selection_group_root:
        CommandLine|contains:
            - ' group '
            - ' localgroup '
    selection_group_flags:
        CommandLine|contains:
            # Add more groups for other languages
            - 'domain admins'
            - ' administrator' # Typo without an 'S' so we catch both
            - ' administrateur' # Typo without an 'S' so we catch both
            - 'enterprise admins'
            - 'Exchange Trusted Subsystem'
            - 'Remote Desktop Users'
            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
            - ' /do' # short for domain
    filter_group_add:
        # This filter is added to avoid the potential case where the point is not recon but addition
        CommandLine|contains: ' /add'
    # Covers 'accounts' flag
    selection_accounts_root:
        CommandLine|contains: ' accounts '
    selection_accounts_flags:
        CommandLine|contains: ' /do' # short for domain
    condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)
False Positives

Inventory tool runs

Administrative activity

References
1
Resolving title…
redcanary.com
2
Resolving title…
thedfirreport.com
3
Resolving title…
research.nccgroup.com
MITRE ATT&CK
Rule Metadata
Rule ID
d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
Status
test
Level
medium
Type
Detection
Created
Wed Jan 16
Modified
Thu Mar 02
Author
Florian Roth (Nextron Systems), omkar72, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml
Raw Tags
attack.discoveryattack.t1087.001attack.t1087.002
View on GitHub