Techniques
Sample rules
Share And Session Enumeration Using Net.EXE
- source: sigma
- technicques:
- t1018
Description
Detects attempts to enumerate file shares, printer shares and sessions using “net.exe” with the “view” flag.
Detection logic
condition: all of selection_* and not filter
filter:
CommandLine|contains: \\\\
selection_cli:
CommandLine|contains: view
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe