net.exe

  • File Path: C:\windows\system32\net.exe
  • Description: Net Command

Hashes

Type Hash
MD5 7467EC1D75804DF9357A0660919E9831
SHA1 B1997A11347698358937432675CB3EC3E3CE3599
SHA256 B331B2CE9418FFAF3A759B3889DB1777F1848FFD9954689C6FA25FD6FFC43834
SHA384 6422DCEF0C9DB31E9AB2AE2D2777E8470978C44964831C539F22CA03EA6F0612325BB13E902A5E2DCA21C4180C7A07AF
SHA512 3A47298559256D799047C7D1F06C691209C4D60047F35B199167E867BC8FB7BDAAC18D07B734A3A90EF296820288FEA5C155A7024829C0A995F52F2BBD7CFC4B
SSDEEP 1536:uax0v4bGRMagyyJ2SB0iJ8LKgrox3T+Qg:uxv4+O2SR8tqTy

Signature

  • Status: The file C:\windows\system32\net.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: net.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.17415 (winblue_r4.141028-1500)
  • Product Version: 6.3.9600.17415
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of net.exe being misused. While net.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_logon_explicit_credentials.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_malware_dridex.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_mal_ryuk.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - net.exe DRL 1.0
sigma proc_creation_win_net_enum.yml description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. DRL 1.0
sigma proc_creation_win_net_enum.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_net_enum.yml - Legitimate use of net.exe utility by legitimate user DRL 1.0
sigma proc_creation_win_net_user_add.yml title: Net.exe User Account Creation DRL 1.0
sigma proc_creation_win_net_user_add.yml description: Identifies creation of local users via the net.exe command. DRL 1.0
sigma proc_creation_win_net_user_add.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml title: Mounted Windows Admin Shares with net.exe DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml description: Detects when an admin share is mounted using net.exe DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_remote_time_discovery.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'net.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_service_execution.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_service_stop.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_susp_mounted_share_deletion.yml ParentImage\|endswith: '\net.exe' DRL 1.0
sigma proc_creation_win_susp_net_execution.yml title: Net.exe Execution DRL 1.0
sigma proc_creation_win_susp_net_execution.yml description: Detects execution of Net.exe, whether suspicious or benign. DRL 1.0
sigma proc_creation_win_susp_net_execution.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml title: Password Provided In Command Line Of Net.exe DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml description: Detects a when net.exe is called with a password in the command line DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml Image: C:\Windows\System32\net.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml Image\|endswith: \net.exe DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\net.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #2: Windows - Stop service using net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: System Service Discovery - net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Windows - Stop service using net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: System Service Discovery - net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1007.md - Atomic Test #2 - System Service Discovery - net.exe MIT License. © 2018 Red Canary
atomic-red-team T1007.md ## Atomic Test #2 - System Service Discovery - net.exe MIT License. © 2018 Red Canary
atomic-red-team T1007.md Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. MIT License. © 2018 Red Canary
atomic-red-team T1007.md Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s MIT License. © 2018 Red Canary
atomic-red-team T1007.md | output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt| MIT License. © 2018 Red Canary
atomic-red-team T1007.md net.exe start » #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1018.md Identify remote systems with net.exe. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Identify remote systems with net.exe querying the Active Directory Domain Computers group. MIT License. © 2018 Red Canary
atomic-red-team T1489.md - Atomic Test #2 - Windows - Stop service using net.exe MIT License. © 2018 Red Canary
atomic-red-team T1489.md ## Atomic Test #2 - Windows - Stop service using net.exe MIT License. © 2018 Red Canary
atomic-red-team T1489.md Stops a specified service using the net.exe command. Upon execution, if the service was running “The Print Spooler service was stopped successfully.” MIT License. © 2018 Red Canary
atomic-red-team T1489.md net.exe stop #{service_name} MIT License. © 2018 Red Canary
atomic-red-team T1489.md net.exe start #{service_name} >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} #{new_password} MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} /delete >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} /delete MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md net.exe stop #{service_name} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md net.exe start #{service_name} >nul 2>&1 MIT License. © 2018 Red Canary
signature-base apt_poseidon_group.yar $a1 = “net.exe group "Domain Admins" /domain” fullword ascii CC BY-NC 4.0
signature-base apt_poseidon_group.yar $a2 = “net.exe group "Admins. do Dom” fullword ascii CC BY-NC 4.0
signature-base apt_poseidon_group.yar $a7 = “net.exe localgroup Administradores” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “No Net.exe Add User” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “:Execute net.exe user Administrator pass” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.