net.exe

  • File Path: C:\WINDOWS\SysWOW64\net.exe
  • Description: Net Command

Hashes

Type Hash
MD5 2D09708A2B7FD7391E50A1A8E4915BD7
SHA1 6C843F6F2A8D883BEB59DA4DFFC8164969CEF69D
SHA256 A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56
SHA384 2C13660DE3FE2518840586248527F0FCE7FDCD5E164295037BFBB6EC770C3457A789446557C177AB95B501ECE95F2A3F
SHA512 75692F9A39581A6ED1400AE20833052B136BD13F326A3AC34BCFEEAD73A7C58133BE28AEAF364DA5D17AAE10EF7350EAB5C8D6239178C3C6EA77A0036388CDB9
SSDEEP 768:BDQWomwoPBvdMaAEZxL3Dl1v3vOl5M939mXkpcYgY8QZLbc/0:BDiMPpdbxPl1vfyXkpcY71ZLbcM

Runtime Data

Usage (stdout):

The syntax of this command is:

NET HELP
command
     -or-
NET command /HELP

  Commands available are:

  NET ACCOUNTS             NET HELPMSG              NET STATISTICS
  NET COMPUTER             NET LOCALGROUP           NET STOP
  NET CONFIG               NET PAUSE                NET TIME
  NET CONTINUE             NET SESSION              NET USE
  NET FILE                 NET SHARE                NET USER
  NET GROUP                NET START                NET VIEW
  NET HELP

  NET HELP NAMES explains different types of names in NET HELP syntax lines.
  NET HELP SERVICES lists some of the services you can start.
  NET HELP SYNTAX explains how to read NET HELP syntax lines.
  NET HELP command | MORE displays Help one screen at a time.

Usage (stderr):

The syntax of this command is:

NET
    [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
      HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START |
      STATISTICS | STOP | TIME | USE | USER | VIEW ]

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: net.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of net.exe being misused. While net.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_logon_explicit_credentials.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_malware_dridex.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_mal_ryuk.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - net.exe DRL 1.0
sigma proc_creation_win_net_enum.yml description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. DRL 1.0
sigma proc_creation_win_net_enum.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_net_enum.yml - Legitimate use of net.exe utility by legitimate user DRL 1.0
sigma proc_creation_win_net_user_add.yml title: Net.exe User Account Creation DRL 1.0
sigma proc_creation_win_net_user_add.yml description: Identifies creation of local users via the net.exe command. DRL 1.0
sigma proc_creation_win_net_user_add.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml title: Mounted Windows Admin Shares with net.exe DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml description: Detects when an admin share is mounted using net.exe DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_remote_time_discovery.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'net.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_service_execution.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_service_stop.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_susp_mounted_share_deletion.yml ParentImage\|endswith: '\net.exe' DRL 1.0
sigma proc_creation_win_susp_net_execution.yml title: Net.exe Execution DRL 1.0
sigma proc_creation_win_susp_net_execution.yml description: Detects execution of Net.exe, whether suspicious or benign. DRL 1.0
sigma proc_creation_win_susp_net_execution.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml title: Password Provided In Command Line Of Net.exe DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml description: Detects a when net.exe is called with a password in the command line DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml Image: C:\Windows\System32\net.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml Image\|endswith: \net.exe DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\net.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #2: Windows - Stop service using net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: System Service Discovery - net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Windows - Stop service using net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: System Service Discovery - net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1007.md - Atomic Test #2 - System Service Discovery - net.exe MIT License. © 2018 Red Canary
atomic-red-team T1007.md ## Atomic Test #2 - System Service Discovery - net.exe MIT License. © 2018 Red Canary
atomic-red-team T1007.md Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. MIT License. © 2018 Red Canary
atomic-red-team T1007.md Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s MIT License. © 2018 Red Canary
atomic-red-team T1007.md | output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt| MIT License. © 2018 Red Canary
atomic-red-team T1007.md net.exe start » #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1018.md Identify remote systems with net.exe. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Identify remote systems with net.exe querying the Active Directory Domain Computers group. MIT License. © 2018 Red Canary
atomic-red-team T1489.md - Atomic Test #2 - Windows - Stop service using net.exe MIT License. © 2018 Red Canary
atomic-red-team T1489.md ## Atomic Test #2 - Windows - Stop service using net.exe MIT License. © 2018 Red Canary
atomic-red-team T1489.md Stops a specified service using the net.exe command. Upon execution, if the service was running “The Print Spooler service was stopped successfully.” MIT License. © 2018 Red Canary
atomic-red-team T1489.md net.exe stop #{service_name} MIT License. © 2018 Red Canary
atomic-red-team T1489.md net.exe start #{service_name} >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} #{new_password} MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} /delete >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} /delete MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md net.exe stop #{service_name} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md net.exe start #{service_name} >nul 2>&1 MIT License. © 2018 Red Canary
signature-base apt_poseidon_group.yar $a1 = “net.exe group "Domain Admins" /domain” fullword ascii CC BY-NC 4.0
signature-base apt_poseidon_group.yar $a2 = “net.exe group "Admins. do Dom” fullword ascii CC BY-NC 4.0
signature-base apt_poseidon_group.yar $a7 = “net.exe localgroup Administradores” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “No Net.exe Add User” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “:Execute net.exe user Administrator pass” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.