A newer version is available. For the latest information, see the
current release documentation.
Mounting Hidden or WebDav Remote Shares
editMounting Hidden or WebDav Remote Sharesedit
Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 3 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule query
editprocess where event.type in ("start", "process_started") and ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and not process.parent.name : "net.exe")) and process.args : "use" and /* including hidden and webdav based online shares such as onedrive */ process.args : ("\\\\*\\*$*", "\\\\*@SSL\\*", "http*") and /* excluding shares deletion operation */ not process.args : "/d*"
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
Rule version historyedit
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only