net1.exe

File Path: C:\Windows\system32\net1.exe
Description: Net Command

Hashes

Type	Hash
MD5	`21C0AFE3CF5DE008014C7D6130A80C3D`
SHA1	`20728995F03FA8FDCF66A2A848AB5405932A66C2`
SHA256	`F4CBB5284B2D0334A1F65060CBFFF1E382CA7A0C35E6BD4031710F301FF9816B`
SHA384	`AF3B74254053AB2F5CAB6C174D72D156E4F2E06DAC35CDE58DABC64C84265CA585848AECC0B86D7ACD2B569CE3944AC2`
SHA512	`EFC977889999C827BA17F23F39A8389ED675F5D5A45BF860DE002BBB82F638E1C37D66F96440CC9EA80F98B17BE93D55A0E051F21F75FE6151424FEBE341EE7F`
SSDEEP	`3072:V/25MVfzyevWl2irm+q4y/SVfoFTOoa3js/RJjnPr9WBWj+Yvvf4PMKzHq1VHRz:JOEiy+q4y/SVfyTpa3js/RJjnP56Wj+m`
IMP	`D115CDECBD7EB553182EAD3D45F5816C`
PESHA1	`D5FECFB007E6A5D945718CC17E197B2F6C7BB1C6`
PE256	`45E8065BB6B9A4D2DDC0FB87EE4096E3A457C9109FD3CAD6C019C124F5105649`

Runtime Data

Usage (stdout):

The syntax of this command is:

NET HELP
command
     -or-
NET command /HELP

  Commands available are:

  NET ACCOUNTS             NET HELPMSG              NET STATISTICS
  NET COMPUTER             NET LOCALGROUP           NET STOP
  NET CONFIG               NET PAUSE                NET TIME
  NET CONTINUE             NET SESSION              NET USE
  NET FILE                 NET SHARE                NET USER
  NET GROUP                NET START                NET VIEW
  NET HELP

  NET HELP NAMES explains different types of names in NET HELP syntax lines.
  NET HELP SERVICES lists some of the services you can start.
  NET HELP SYNTAX explains how to read NET HELP syntax lines.
  NET HELP command | MORE displays Help one screen at a time.

Usage (stderr):

The syntax of this command is:

NET
    [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
      HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START |
      STATISTICS | STOP | TIME | USE | USER | VIEW ]

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\net1.exe
C:\Windows\SYSTEM32\ntdll.dll

Signature

Status: Signature verified.
Serial: 3300000266BD1580EFA75CD6D3000000000266
Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: net1.exe
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.19041.546 (WinBuild.160101.0800)
Product Version: 10.0.19041.546
Language: English (United States)
Machine Type: 64-bit

File Scan

VirusTotal Detections: 0/76
VirusTotal Link: https://www.virustotal.com/gui/file/f4cbb5284b2d0334a1f65060cbfff1e382ca7a0c35e6bd4031710f301ff9816b/detection

Possible Misuse

The following table contains possible examples of net1.exe being misused. While net1.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	win_susp_logon_explicit_credentials.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_local_system_owner_account_discovery.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_malware_dridex.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_mal_ryuk.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_net_enum.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_net_user_add.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_net_use_admin_share.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_remote_time_discovery.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_binary.yml	`- 'net1.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_binary.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_service_execution.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_service_stop.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_susp_mounted_share_deletion.yml	`Image\\|endswith: '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_susp_net_execution.yml	`- '\net1.exe'`	DRL 1.0
sigma	proc_creation_win_webshell_detection.yml	`- '\net1.exe'`	DRL 1.0