net.exe

  • File Path: C:\Windows\system32\net.exe
  • Description: Net Command

Hashes

Type Hash
MD5 AE61D8F04BCDE8158304067913160B31
SHA1 4F4970C3545972FEA2BC1984D597FC810E6321E0
SHA256 25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369
SHA384 044C249B23A8F7583C7BB20F8CD1F1F7AD4A26CA335F917906D487E792E2E6B23F6051D180952977F37F975A52CFFA85
SHA512 0B3B8662FF95CD4D9CF42B9179E111C9A51654908938E25F9BD5EAE2A4177F767EA2EBD0EFD9DED5DCA2D7D4FF18ADD7AA945D6638439F7A848B11C630CD153D
SSDEEP 768:MxLuocL47+gV+tNnXJ8t+vsKDaZ3I9eEFJDCtIyLQZ0uZnJ:9ocLQ+DRXOasKDBLD+NsZJJ
IMP 57F0C47AE2A1A2C06C8B987372AB0B07
PESHA1 EC7616F37AA3C497C111E6DD0F721EB5D2024DCB
PE256 2D16BF609CB22E6F923D76098B47F619FE2CEF93E28961810069C30ACAF789B8

Runtime Data

Usage (stdout):

The syntax of this command is:

NET HELP
command
     -or-
NET command /HELP

  Commands available are:

  NET ACCOUNTS             NET HELPMSG              NET STATISTICS
  NET COMPUTER             NET LOCALGROUP           NET STOP
  NET CONFIG               NET PAUSE                NET TIME
  NET CONTINUE             NET SESSION              NET USE
  NET FILE                 NET SHARE                NET USER
  NET GROUP                NET START                NET VIEW
  NET HELP

  NET HELP NAMES explains different types of names in NET HELP syntax lines.
  NET HELP SERVICES lists some of the services you can start.
  NET HELP SYNTAX explains how to read NET HELP syntax lines.
  NET HELP command | MORE displays Help one screen at a time.

Usage (stderr):

The syntax of this command is:

NET
    [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
      HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START |
      STATISTICS | STOP | TIME | USE | USER | VIEW ]

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\system32\IPHLPAPI.DLL
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\MPR.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\system32\net.exe
C:\Windows\system32\netutils.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\system32\samcli.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\srvcli.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\wkscli.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: net.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/25c8266d2bc1d5626dcdf72419838b397d28d44d00ac09f02ff4e421b43ec369/detection/

Possible Misuse

The following table contains possible examples of net.exe being misused. While net.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_logon_explicit_credentials.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_malware_dridex.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_mal_ryuk.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - net.exe DRL 1.0
sigma proc_creation_win_net_enum.yml description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. DRL 1.0
sigma proc_creation_win_net_enum.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_net_enum.yml - Legitimate use of net.exe utility by legitimate user DRL 1.0
sigma proc_creation_win_net_user_add.yml title: Net.exe User Account Creation DRL 1.0
sigma proc_creation_win_net_user_add.yml description: Identifies creation of local users via the net.exe command. DRL 1.0
sigma proc_creation_win_net_user_add.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml title: Mounted Windows Admin Shares with net.exe DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml description: Detects when an admin share is mounted using net.exe DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_remote_time_discovery.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'net.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_service_execution.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_service_stop.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_susp_mounted_share_deletion.yml ParentImage\|endswith: '\net.exe' DRL 1.0
sigma proc_creation_win_susp_net_execution.yml title: Net.exe Execution DRL 1.0
sigma proc_creation_win_susp_net_execution.yml description: Detects execution of Net.exe, whether suspicious or benign. DRL 1.0
sigma proc_creation_win_susp_net_execution.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml title: Password Provided In Command Line Of Net.exe DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml description: Detects a when net.exe is called with a password in the command line DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml Image: C:\Windows\System32\net.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml Image\|endswith: \net.exe DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\net.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #2: Windows - Stop service using net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: System Service Discovery - net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Windows - Stop service using net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: System Service Discovery - net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1007.md - Atomic Test #2 - System Service Discovery - net.exe MIT License. © 2018 Red Canary
atomic-red-team T1007.md ## Atomic Test #2 - System Service Discovery - net.exe MIT License. © 2018 Red Canary
atomic-red-team T1007.md Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. MIT License. © 2018 Red Canary
atomic-red-team T1007.md Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s MIT License. © 2018 Red Canary
atomic-red-team T1007.md | output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt| MIT License. © 2018 Red Canary
atomic-red-team T1007.md net.exe start » #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1018.md Identify remote systems with net.exe. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Identify remote systems with net.exe querying the Active Directory Domain Computers group. MIT License. © 2018 Red Canary
atomic-red-team T1489.md - Atomic Test #2 - Windows - Stop service using net.exe MIT License. © 2018 Red Canary
atomic-red-team T1489.md ## Atomic Test #2 - Windows - Stop service using net.exe MIT License. © 2018 Red Canary
atomic-red-team T1489.md Stops a specified service using the net.exe command. Upon execution, if the service was running “The Print Spooler service was stopped successfully.” MIT License. © 2018 Red Canary
atomic-red-team T1489.md net.exe stop #{service_name} MIT License. © 2018 Red Canary
atomic-red-team T1489.md net.exe start #{service_name} >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} #{new_password} MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} /delete >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} /delete MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md net.exe stop #{service_name} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md net.exe start #{service_name} >nul 2>&1 MIT License. © 2018 Red Canary
signature-base apt_poseidon_group.yar $a1 = “net.exe group "Domain Admins" /domain” fullword ascii CC BY-NC 4.0
signature-base apt_poseidon_group.yar $a2 = “net.exe group "Admins. do Dom” fullword ascii CC BY-NC 4.0
signature-base apt_poseidon_group.yar $a7 = “net.exe localgroup Administradores” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “No Net.exe Add User” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “:Execute net.exe user Administrator pass” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.