net.exe

  • File Path: C:\windows\SysWOW64\net.exe
  • Description: Net Command

Hashes

Type Hash
MD5 C3D20AC571E20AFC880DFE85DD3E8C7A
SHA1 64EEDA3BD4019E3E4528EC213055BD2D3C132564
SHA256 4B487075F31CFCA0A480B2C8BE0D265655298F26E95B00F132285C784B3DA4EB
SHA384 206095D63C7E1601C4316439E0A58D315243DC68AEECF6A481AF2CB69E13E7E22286B78C13E97827E1E6257B7E78C26D
SHA512 EE3F565760683A9E3E7D3D17C924DDE84CBD3E2B5248E334EB7870584C01C8ED01BD58078D1E72E8EFFE6AF6B6E8BF73B052A8A4B9B2024639CC6226EFDF48EC
SSDEEP 768:ahyJxfvuxv/5u5qiRKye/+cKCiESTC/e3YAivbrTgagbXERtUD+YY4q8:awExn5u5DII8wpEvzga2UY+YY4q

Signature

  • Status: The file C:\windows\SysWOW64\net.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: net.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.17415 (winblue_r4.141028-1500)
  • Product Version: 6.3.9600.17415
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of net.exe being misused. While net.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_logon_explicit_credentials.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_malware_dridex.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_mal_ryuk.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - net.exe DRL 1.0
sigma proc_creation_win_net_enum.yml description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. DRL 1.0
sigma proc_creation_win_net_enum.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_net_enum.yml - Legitimate use of net.exe utility by legitimate user DRL 1.0
sigma proc_creation_win_net_user_add.yml title: Net.exe User Account Creation DRL 1.0
sigma proc_creation_win_net_user_add.yml description: Identifies creation of local users via the net.exe command. DRL 1.0
sigma proc_creation_win_net_user_add.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml title: Mounted Windows Admin Shares with net.exe DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml description: Detects when an admin share is mounted using net.exe DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_remote_time_discovery.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'net.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_service_execution.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_service_stop.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_susp_mounted_share_deletion.yml ParentImage\|endswith: '\net.exe' DRL 1.0
sigma proc_creation_win_susp_net_execution.yml title: Net.exe Execution DRL 1.0
sigma proc_creation_win_susp_net_execution.yml description: Detects execution of Net.exe, whether suspicious or benign. DRL 1.0
sigma proc_creation_win_susp_net_execution.yml - '\net.exe' DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml title: Password Provided In Command Line Of Net.exe DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml description: Detects a when net.exe is called with a password in the command line DRL 1.0
sigma proc_creation_win_susp_net_use_password_plaintext.yml Image: C:\Windows\System32\net.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml Image\|endswith: \net.exe DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\net.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #2: Windows - Stop service using net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: System Service Discovery - net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Windows - Stop service using net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: System Service Discovery - net.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1007.md - Atomic Test #2 - System Service Discovery - net.exe MIT License. © 2018 Red Canary
atomic-red-team T1007.md ## Atomic Test #2 - System Service Discovery - net.exe MIT License. © 2018 Red Canary
atomic-red-team T1007.md Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. MIT License. © 2018 Red Canary
atomic-red-team T1007.md Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s MIT License. © 2018 Red Canary
atomic-red-team T1007.md | output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt| MIT License. © 2018 Red Canary
atomic-red-team T1007.md net.exe start » #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1018.md Identify remote systems with net.exe. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Identify remote systems with net.exe querying the Active Directory Domain Computers group. MIT License. © 2018 Red Canary
atomic-red-team T1489.md - Atomic Test #2 - Windows - Stop service using net.exe MIT License. © 2018 Red Canary
atomic-red-team T1489.md ## Atomic Test #2 - Windows - Stop service using net.exe MIT License. © 2018 Red Canary
atomic-red-team T1489.md Stops a specified service using the net.exe command. Upon execution, if the service was running “The Print Spooler service was stopped successfully.” MIT License. © 2018 Red Canary
atomic-red-team T1489.md net.exe stop #{service_name} MIT License. © 2018 Red Canary
atomic-red-team T1489.md net.exe start #{service_name} >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} #{new_password} MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} /delete >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1531.md net.exe user #{user_account} /delete MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md net.exe stop #{service_name} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md net.exe start #{service_name} >nul 2>&1 MIT License. © 2018 Red Canary
signature-base apt_poseidon_group.yar $a1 = “net.exe group "Domain Admins" /domain” fullword ascii CC BY-NC 4.0
signature-base apt_poseidon_group.yar $a2 = “net.exe group "Admins. do Dom” fullword ascii CC BY-NC 4.0
signature-base apt_poseidon_group.yar $a7 = “net.exe localgroup Administradores” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “No Net.exe Add User” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “:Execute net.exe user Administrator pass” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.