LoFP / administrators often leverage net.exe to create or delete network shares. you should verify that the activity was intentional and is legitimate.

Techniques

• T1070
• T1070.005

Sample rules

Create or delete windows shares using net exe

• source: splunk
• technicques:
  • T1070
  • T1070.005

Description

The following analytic detects the creation or deletion of Windows shares using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes involving net.exe with actions related to share management. This activity is significant because it may indicate an attacker attempting to manipulate network shares for malicious purposes, such as data exfiltration, malware distribution, or establishing persistence. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, service disruption, or malware introduction. Immediate investigation is required to determine the intent and mitigate potential threats.

Detection logic

| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name  Processes.parent_process_name Processes.original_file_name Processes.dest 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| search process IN ("*share* /delete*", "*share* /REMARK:*", "*share* /CACHE:*") 
| `create_or_delete_windows_shares_using_net_exe_filter`