IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Mounting Hidden or WebDav Remote Shares
editMounting Hidden or WebDav Remote Shares
editIdentifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Initial Access
- Lateral Movement
Version: 103
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editRule query
editprocess where event.type == "start" and
((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
not process.parent.name : "net.exe")) and
process.args : "use" and
/* including hidden and webdav based online shares such as onedrive */
process.args : ("\\\\*\\*$*", "\\\\*@SSL\\*", "http*") and
/* excluding shares deletion operation */
not process.args : "/d*"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
-
Sub-technique:
- Name: SMB/Windows Admin Shares
- ID: T1021.002
- Reference URL: https://attack.mitre.org/techniques/T1021/002/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Sub-technique:
- Name: Local Accounts
- ID: T1078.003
- Reference URL: https://attack.mitre.org/techniques/T1078/003/