net.exe

  • File Path: C:\WINDOWS\system32\net.exe
  • Description: Net Command

Hashes

Type Hash
MD5 4F039C21D1A4E281401818E28E091FBF
SHA1 7A4DA59B47453EE633887ED2D25050D8BE18C5E9
SHA256 4AA3EE22F801D722EC1C52C38F844DCEE8406865375BEDF5B1876F9B259D0AD5
SHA384 8D96D15492D33E97D7602A1D8850ECF8939586CCD17DA8325107D97701FE9FCEFE67342A1AE6F65FF87EF70E9C1BA603
SHA512 D81395D67BFCD1BCA3C3DD8F7EEA8B71B2ADC82751DCE3CDD273AFD880B7437E304F1B23527C22FFF21C0418A545D53B924A2797BD1290846CCA137C89B2088B
SSDEEP 1536:Y8N7O8wV9fhdadPs7YTfnrEOVxN9Tt7OZwDL8mZCqXN:R7OdPDMVjT3DL8mJ
IMP D45C37A5C97135204AD6E116C34946C3
PESHA1 FD581817DA2A9B2448D7DD3034682EC99FDE7E9A
PE256 0B896732CCB0009A45F7ED01E3F6CCEE47BF11CF844248B1DF5B83A490516F10

Runtime Data

Usage (stdout):

The syntax of this command is:

NET HELP
command
     -or-
NET command /HELP

  Commands available are:

  NET ACCOUNTS             NET HELPMSG              NET STATISTICS
  NET COMPUTER             NET LOCALGROUP           NET STOP
  NET CONFIG               NET PAUSE                NET TIME
  NET CONTINUE             NET SESSION              NET USE
  NET FILE                 NET SHARE                NET USER
  NET GROUP                NET START                NET VIEW
  NET HELP

  NET HELP NAMES explains different types of names in NET HELP syntax lines.
  NET HELP SERVICES lists some of the services you can start.
  NET HELP SYNTAX explains how to read NET HELP syntax lines.
  NET HELP command | MORE displays Help one screen at a time.

Usage (stderr):

The syntax of this command is:

NET
    [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
      HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START |
      STATISTICS | STOP | TIME | USE | USER | VIEW ]

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\system32\net.exe
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: net.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/4aa3ee22f801d722ec1c52c38f844dcee8406865375bedf5b1876f9b259d0ad5/detection

Possible Misuse

The following table contains possible examples of net.exe being misused. While net.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_logon_explicit_credentials.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_malware_dridex.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_mal_ryuk.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - net.exe DRL 1.0
sigma proc_creation_win_net_enum.yml description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. DRL 1.0
sigma proc_creation_win_net_enum.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_net_enum.yml - Legitimate use of net.exe utility by legitimate user DRL 1.0
sigma proc_creation_win_net_user_add.yml title: Net.exe User Account Creation DRL 1.0
sigma proc_creation_win_net_user_add.yml description: Identifies creation of local users via the net.exe command. DRL 1.0
sigma proc_creation_win_net_user_add.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml title: Mounted Windows Admin Shares with net.exe DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml description: Detects when an admin share is mounted using net.exe DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_remote_time_discovery.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'net.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_service_execution.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_service_stop.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_susp_mounted_share_deletion.yml ParentImage\|endswith: '\net.exe' DRL 1.0
sigma proc_creation_win_susp_net_execution.yml title: Net.exe Execution DRL 1.0
sigma proc_creation_win_susp_net_execution.yml description: Detects execution of Net.exe, whether suspicious or benign. DRL 1.0
sigma proc_creation_win_susp_net_execution.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml title: Password Provided In Command Line Of Net.exe DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml description: Detects a when net.exe is called with a password in the command line DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml Image: C:\Windows\System32\net.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml Image\|endswith: \net.exe DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\net.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #2: Windows - Stop service using net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: System Service Discovery - net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Windows - Stop service using net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: System Service Discovery - net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1007.md - Atomic Test #2 - System Service Discovery - net.exe MIT License. © 2018 Red Canary
atomic-red-team T1007.md ## Atomic Test #2 - System Service Discovery - net.exe MIT License. © 2018 Red Canary
atomic-red-team T1007.md Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. MIT License. © 2018 Red Canary
atomic-red-team T1007.md Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s MIT License. © 2018 Red Canary
atomic-red-team T1007.md | output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt| MIT License. © 2018 Red Canary
atomic-red-team T1007.md net.exe start » #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1018.md Identify remote systems with net.exe. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Identify remote systems with net.exe querying the Active Directory Domain Computers group. MIT License. © 2018 Red Canary
atomic-red-team T1489.md - Atomic Test #2 - Windows - Stop service using net.exe MIT License. © 2018 Red Canary
atomic-red-team T1489.md ## Atomic Test #2 - Windows - Stop service using net.exe MIT License. © 2018 Red Canary
atomic-red-team T1489.md Stops a specified service using the net.exe command. Upon execution, if the service was running “The Print Spooler service was stopped successfully.” MIT License. © 2018 Red Canary
atomic-red-team T1489.md net.exe stop #{service_name} MIT License. © 2018 Red Canary
atomic-red-team T1489.md net.exe start #{service_name} >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} #{new_password} MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} /delete >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} /delete MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md net.exe stop #{service_name} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md net.exe start #{service_name} >nul 2>&1 MIT License. © 2018 Red Canary
signature-base apt_poseidon_group.yar $a1 = “net.exe group "Domain Admins" /domain” fullword ascii CC BY-NC 4.0
signature-base apt_poseidon_group.yar $a2 = “net.exe group "Admins. do Dom” fullword ascii CC BY-NC 4.0
signature-base apt_poseidon_group.yar $a7 = “net.exe localgroup Administradores” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “No Net.exe Add User” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “:Execute net.exe user Administrator pass” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.