057. Detecting NetExec

Hello everyone! Recently we observed an activity cluster, which leveraged NetExec during post-exploitation. It's an open source tool for network service exploitation with LOTS of features. You can learn more about the tool here.


From detection perspective it's also interesting. Today we'll cover only process creation events related to execution of the tool on the compromised system.

I often tell you to look at metadata to spot renamed tools - but this time it's not the case as NetExec file doesn't have it. At the same time, it has lots of interesting command line arguments, but some of them are very noisy, so, based on my testing, here's the query:

event_type: "processcreate" 

AND 

cmdline.keyword:/.* (smb|ldap|winrm|mssql|rdp|wmi|nfs) .*/ 

AND 

cmdline: ("u" AND "p") 

AND 

cmdline:("zerologon" OR "nopac" OR "printnightmare" OR "smbghost" OR "ms17-010" OR "coerce_plus" OR "enum_av" OR "delegate" OR "x" OR "pi" OR "empire_exec" OR "met_inject" OR "spider" OR "put-file" OR "get-file" OR "sam" OR "lsa" OR "ntds" OR "lsassy" OR "nanodump" OR "mimikatz" OR "dpapi" OR "sccm" OR "wam" OR "wifi" OR "keepass_discover" OR "keepass_trigger" OR "veeam" OR "winscp" OR "putty" OR "vnc" OR "mremoteng" OR "rdcman" OR "laps" OR "spooler" OR "webdav" OR "teams_localdb" OR "loggedon-users" OR "schtask_as" OR "security-questions" OR "group-mem" OR "asreproast" OR "get-sid" OR "kerberoasting" OR "maq" OR "get-desc-users" OR "gmsa" OR "adcs" OR "get-network" OR "ldap-checker" OR "daclread" OR "bloodhound" OR "dc-list" OR "enum_trusts" OR "no-bruteforce" OR "mssql_priv" OR "local-auth" OR "rid-brute" OR "screenshot")

Does it generate any false positives in your environment? Let me know!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!