Skip to content

Commit

Permalink
Add Runas.yml & Net.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
@suchenbinwoaini
suchenbinwoaini committed Oct 17, 2024
1 parent 2bbe8cf commit 2918f96
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 12 deletions.
7 changes: 0 additions & 7 deletions yml/OSBinaries/Net.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,21 +11,16 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows Server 2003, Windows Vista, Windows XP, Windows HPC Server 2008 R2, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2000, Windows Server 2012, Windows Server 2003 with SP1, Windows 8,Windows 10,Windows 11

- Command: net start [SERVICES]
Description: Utilize this command to see which services are active and can also start specific services if needed.
Usecase: The net start command is commonly used in various scenarios, particularly in system administration and remote link.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows Server 2003, Windows Vista, Windows XP, Windows HPC Server 2008 R2, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2000, Windows Server 2012, Windows Server 2003 with SP1, Windows 8,Windows 10,Windows 11


Full_Path:
- Path: C:\Windows\System32\net.exe
- Path: C:\Windows\SysWOW64\net.exe


Detection:
- IOC: Net.exe executing files from alternate data streams.
- IOC: Net.exe connecting to external URLs to download files.
Expand All @@ -35,8 +30,6 @@ Detection:
- Splunk: https://github.com/splunk/security_content/blob/develop/detections/endpoint/domain_group_discovery_with_net.yml
- Elastic: https://github.com/elastic/detection-rules/blob/main/rta/net_user_add.py
- Elastic: https://github.com/elastic/detection-rules/blob/main/rules_building_block/discovery_net_view.toml


Resources:
- Link: https://medium.com/@boutnaru/the-windows-process-journey-net-exe-net-command-91e4964f20b8
- Link: https://www.file.net/process/net.exe.html
Expand Down
5 changes: 0 additions & 5 deletions yml/OSBinaries/Runas.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,9 @@ Commands:
Privileges: Required privs
MitreID: T1033
OperatingSystem: Windows Server 2003, Windows Vista, Windows XP, Windows HPC Server 2008 R2, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2000, Windows Server 2012, Windows Server 2003 with SP1, Windows 8,Windows 10,Windows 11


Full_Path:
- Path: C:\Windows\System32\runas.exe
- Path: C:\Windows\SysWOW64\runas.exe



Detection:
- IOC: Runas.exe executing files from alternate data streams.
- IOC: Runas.exe accessing unusual user accounts.
Expand Down

0 comments on commit 2918f96

Please sign in to comment.