LoFP LoFP / inventory tool runs

Techniques

Sample rules

Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Description

Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)

Detection logic

condition: selection_img and ((all of selection_group_* and not filter_group_add)
  or all of selection_accounts_*)
filter_group_add:
  CommandLine|contains: ' /add'
selection_accounts_flags:
  CommandLine|contains: ' /do'
selection_accounts_root:
  CommandLine|contains: ' accounts '
selection_group_flags:
  CommandLine|contains:
  - domain admins
  - ' administrator'
  - ' administrateur'
  - enterprise admins
  - Exchange Trusted Subsystem
  - Remote Desktop Users
  - "Utilisateurs du Bureau \xE0 distance"
  - Usuarios de escritorio remoto
  - ' /do'
selection_group_root:
  CommandLine|contains:
  - ' group '
  - ' localgroup '
selection_img:
- Image|endswith:
  - \net.exe
  - \net1.exe
- OriginalFileName:
  - net.exe
  - net1.exe