Navigation :

Create or delete windows shares using net.exe

Description

This search looks for the creation or deletion of hidden shares using net.exe.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Advanced Threat Detection

Alert Volume

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Lateral Movement

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

Help
Create or delete windows shares using net.exe Help In this search, we are looking for the command-line execution of net.exe with command-line parameters such as `net`, `share`, or `delete` that may correspond to the creation/deletion of windows drive shares. Net.exe is a built-in command-line tool on Windows that can be used to create, delete, and manage shared resources on the computer, both locally and remotely. Though this tool is used by Microsoft administrators to manage the network shares, attackers also leverage it to create and delete (hidden) file shares by appending "$" after the name of the share. Since the creation/deletion of hidden shares is a special case of detecting share creation/deletion we have commented out the regex that adds that additional matching criteria. If only hidden share detection is desired add `\| regex process="\S+[$]"` before the last pipe in the search.

Help

Create or delete windows shares using net.exe Help

In this search, we are looking for the command-line execution of net.exe with command-line parameters such as net, share, or delete that may correspond to the creation/deletion of windows drive shares. Net.exe is a built-in command-line tool on Windows that can be used to create, delete, and manage shared resources on the computer, both locally and remotely. Though this tool is used by Microsoft administrators to manage the network shares, attackers also leverage it to create and delete (hidden) file shares by appending "$" after the name of the share. Since the creation/deletion of hidden shares is a special case of detecting share creation/deletion we have commented out the regex that adds that additional matching criteria. If only hidden share detection is desired add | regex process="\S+[$]" before the last pipe in the search.