title: Mounted Windows Admin Shares with net.exe
author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st,
  wagga
date: 2020/10/05
description: Detects when an admin share is mounted using net.exe
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image:
    - '*\net.exe'
    - '*\net1.exe'
  SELECTION_3:
    CommandLine: '* use *'
  SELECTION_4:
    CommandLine: '*\\\*\\*$*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Administrators
id: 3abd6094-7027-475f-9630-8ab9be7b9725
level: medium
logsource:
  category: process_creation
  product: windows
modified: 2021/06/27
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
status: experimental
tags:
- attack.lateral_movement
- attack.t1021.002
ruletype: SIGMA