Skip to content

T1087.002 Suspicious Group And Account Reconnaissance Activity Using Net

T1087.002 - Suspicious Group And Account Reconnaissance Activity Using Net.EXE

DESCRIPTION

Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE. Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)

Example:

net1 localgroup Administrators
"net.exe" localgroup Administrators
net group "Domain admins" /DOMAIN

Related

LOLBins Discovery

Reference:

https://github.com/SigmaHQ/sigma/blob/49adcf9a00247ed6c3daacba03b589470f6716d0/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml
https://learn.microsoft.com/en-us/windows/win32/winsock/net-exe-2

ATT&CK TACTICS

T1087.002 - Account Discovery: Domain Account

Data Source(s): Command, Process

SENTINEL RULE QUERY

1
2
3
4
5
6
7
8
9
let selection_img = dynamic ([@'\net.exe', @'\net1.exe']);
let selection_group_root = dynamic([' group ', ' localgroup ']);
let selection_group_flags = dynamic(['domain admins', ' administrators', ' administrateur', 'enterprise admins', 'Exchange Trusted Subsystem', 'Remote Desktop Users', @' /do']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where (FolderPath endswith @'\net.exe' or FolderPath endswith @'\net1.exe') or (ProcessVersionInfoOriginalFileName has_any (selection_img)) //selection_img
| where ProcessCommandLine has_any (selection_group_root) 
| where (ProcessCommandLine has_any (selection_group_flags) and not(ProcessCommandLine contains " /add")) or (ProcessCommandLine contains " accounts " and ProcessCommandLine contains " /do")
//| summarize count(), num_distinctDevices = dcount(DeviceName), set_ProcessCMD=make_set(ProcessCommandLine), set_InitiatingProcessCMD=make_set(InitiatingProcessCommandLine), first_ = min(TimeGenerated), last_ = max(TimeGenerated) by InitiatingProcessFolderPath, InitiatingProcessFileName, FolderPath, FileName, AccountName, TenantId

Triage

  1. Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates.
  2. Inspect if the activity was expected and approved

FalsePositive

  • Inventory tool runs
  • Administrative activity

VERSION

Version 1.0 (date: 20/03/2024)