From 2918f96b92104088a80991aa171ca783268ac4f4 Mon Sep 17 00:00:00 2001
From: suchenbinwoaini <77614336+suchenbinwoaini@users.noreply.github.com>
Date: Thu, 17 Oct 2024 15:51:41 +0800
Subject: [PATCH] Add Runas.yml & Net.yml

---
 yml/OSBinaries/Net.yml   | 7 -------
 yml/OSBinaries/Runas.yml | 5 -----
 2 files changed, 12 deletions(-)

diff --git a/yml/OSBinaries/Net.yml b/yml/OSBinaries/Net.yml
index fa9e64c7..6e1cf6a2 100644
--- a/yml/OSBinaries/Net.yml
+++ b/yml/OSBinaries/Net.yml
@@ -11,7 +11,6 @@ Commands:
     Privileges: User
     MitreID: T1564.004
     OperatingSystem: Windows Server 2003, Windows Vista, Windows XP, Windows HPC Server 2008 R2, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2000, Windows Server 2012, Windows Server 2003 with SP1, Windows 8,Windows 10,Windows 11
-
   - Command: net start [SERVICES]
     Description: Utilize this command to see which services are active and can also start specific services if needed.
     Usecase: The net start command is commonly used in various scenarios, particularly in system administration and remote link.
@@ -19,13 +18,9 @@ Commands:
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows Server 2003, Windows Vista, Windows XP, Windows HPC Server 2008 R2, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2000, Windows Server 2012, Windows Server 2003 with SP1, Windows 8,Windows 10,Windows 11
-
-
 Full_Path:
   - Path: C:\Windows\System32\net.exe
   - Path: C:\Windows\SysWOW64\net.exe
-
-
 Detection:
   - IOC: Net.exe executing files from alternate data streams.
   - IOC: Net.exe connecting to external URLs to download files.
@@ -35,8 +30,6 @@ Detection:
   - Splunk: https://github.com/splunk/security_content/blob/develop/detections/endpoint/domain_group_discovery_with_net.yml
   - Elastic: https://github.com/elastic/detection-rules/blob/main/rta/net_user_add.py
   - Elastic: https://github.com/elastic/detection-rules/blob/main/rules_building_block/discovery_net_view.toml
-
-
 Resources:
   - Link: https://medium.com/@boutnaru/the-windows-process-journey-net-exe-net-command-91e4964f20b8
   - Link: https://www.file.net/process/net.exe.html
diff --git a/yml/OSBinaries/Runas.yml b/yml/OSBinaries/Runas.yml
index 04b7b00b..30f48f68 100644
--- a/yml/OSBinaries/Runas.yml
+++ b/yml/OSBinaries/Runas.yml
@@ -18,14 +18,9 @@ Commands:
     Privileges: Required privs
     MitreID: T1033
     OperatingSystem: Windows Server 2003, Windows Vista, Windows XP, Windows HPC Server 2008 R2, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2000, Windows Server 2012, Windows Server 2003 with SP1, Windows 8,Windows 10,Windows 11
-
-
 Full_Path:
   - Path: C:\Windows\System32\runas.exe
   - Path: C:\Windows\SysWOW64\runas.exe
-
-
-
 Detection:
   - IOC: Runas.exe executing files from alternate data streams.
   - IOC: Runas.exe accessing unusual user accounts.