Windows Network Share Interaction With Net

Try in Splunk Security Cloud

Description

This analytic detects network share discovery and collection activities performed on Windows systems using the Net command. Attackers often use network share discovery to identify accessible shared resources within a network, which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection activities.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2023-04-21
• Author: Dean Luxton
• ID: 4dc3951f-b3f8-4f46-b412-76a483f72277

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1135	Network Share Discovery	Discovery

T1039

Data from Network Shared Drive

Collection

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit) as user_bunit  FROM datamodel=Endpoint.Processes WHERE (Processes.process_name="net.exe" OR Processes.process_name="net1.exe" OR Processes.orig_process_name="net.exe" OR Processes.orig_process_name="net1.exe") BY Processes.user Processes.dest Processes.process_exec Processes.parent_process_exec Processes.process Processes.parent_process 
| `drop_dm_object_name(Processes)` 
| regex process="net[\s\.ex1]+view
|net[\s\.ex1]+share
|net[\s\.ex1]+use\s" 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_network_share_interaction_with_net_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly

windows_network_share_interaction_with_net_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• Processes.process_name
• Processes.user
• Processes.dest
• Processes.process_exec
• Processes.parent_process_exec
• Processes.process
• Processes.parent_process

How To Implement

The detection is based on data originating from either Endpoint Detection and Response (EDR) telemetry or EventCode 4688 with process command line logging enabled. These sources provide security-related telemetry from the endpoints. To implement this search, you must ingest logs that contain the process name, parent process, and complete command-line executions. These logs must be mapped to the Splunk Common Information Model (CIM) to normalize the field names capture the data within the datamodel schema.

Known False Positives

Unknown

Associated Analytic Story

• Active Directory Discovery
• Active Directory Privilege Escalation
• Network Discovery

RBA

Risk Score	Impact	Confidence	Message
20.0	20	100	User $user$ leveraged net.exe on $dest$ to interact with network shares, executed by parent process $parent_process$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1135/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1