Techniques
Sample rules
Windows Admin Share Mount Via Net.EXE
- source: sigma
- technicques:
- t1021
- t1021.002
Description
Detects when an admin share is mounted using net.exe
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- ' use '
- ' \\\\*\\*$'
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe