Disable Net User Account

Try in Splunk Security Cloud

Description

This analytic will identify a suspicious command-line that disables a user account using the net.exe utility native to Windows. This technique may used by the adversaries to interrupt availability of such users to do their malicious act.

• Type: TTP
• Product: Splunk Behavioral Analytics
• Datamodel: Endpoint
• Last Updated: 2021-06-21
• Author: Teoderick Contreras, Splunk
• ID: ba858b08-d26c-11eb-af9b-acde48001122

ATT&CK

ID	Technique	Tactic
T1489	Service Stop	Impact

Search

| from read_ssa_enriched_events() 
| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where cmd_line IS NOT NULL AND like(cmd_line, "%/active:no%") AND (process_name="net1.exe" OR process_name="net.exe") 
| eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path]) 
| into write_ssa_detected_events();

Associated Analytic Story

• XMRig
• Ransomware

How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed net.exe/net1.exe may be used.

Required field

• _time
• dest_device_id
• process_name
• parent_process_name
• process_path
• dest_user_id
• process

Kill Chain Phase

• Exploitation

Known False Positives

network operator may use this approach to quickly disable an account but not a common practice.

Reference

• https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/ssa_data1/net_user_dis.log

source | version: 2