This analytic will identify a suspicious command-line that disables a user account using the native
net1.exe utility to Windows. This technique may used by the adversaries to interrupt availability of accounts and continue the impact against the organization.
- Type: TTP
- Product: Splunk Behavioral Analytics
- Datamodel: Endpoint_Processes
- Last Updated: 2021-12-01
- Author: Teoderick Contreras, Splunk
- ID: ba858b08-d26c-11eb-af9b-acde48001122
| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | where cmd_line IS NOT NULL AND like(cmd_line, "%/active:no%") AND like(cmd_line, "%user%") AND (process_name="net1.exe" OR process_name="net.exe") | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path]) | into write_ssa_detected_events();
Associated Analytic Story
How To Implement
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed net.exe/net1.exe may be used.
Kill Chain Phase
Known False Positives
System administrators or automated scripts may disable an account but not a common practice. Filter as needed.
|49.0||70||70||An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest_device_id$ by user $dest_user_id$ attempting to disable accounts.|
source | version: 3