Create or delete hidden shares using net.exe

Description

This search looks for the creation or deletion of hidden shares using net.exe.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Malware

Alert Volume

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Execution
Persistence

MITRE ATT&CK Techniques

Command and Scripting Interpreter

MITRE Threat Groups

APT19
APT32
APT39
Dragonfly 2.0
FIN5
FIN6
FIN7
Ke3chang
Molerats
OilRig
Stealth Falcon
Whitefly

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Create or delete hidden shares using net.exe Help

Net.exe is a built-in command-line tool on Windows that can be used to create, delete, and manage shared resources on the computer, both locally and remotely. Though this tool is used by Microsoft administrators to manage the network shares, attackers also leverage it to create and delete hidden file shares by appending "$" after the name of the share. To look for hidden shares, use a regular expression to look for a (name_file_share)$. In this search, we are looking for the command-line execution of net.exe with command-line parameters such as net, share, or delete that may correspond to the creation of hidden shares