Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Net
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Net
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility) Net has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
ID: S0039
Type: TOOL
Platforms: Windows
Version: 2.3
Created: 31 May 2017
Last Modified: 15 Oct 2021

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Commands under net user can be used in Net to gather information about and manipulate user accounts.(Citation: Savill 1999)
.002 Account Discovery: Domain Account

Net commands used with the /domain flag can be used to gather information about and manipulate user accounts on the current domain.(Citation: Microsoft Net)

Enterprise T1136 .001 Create Account: Local Account

The net user username \password commands in Net can be used to create a local account.(Citation: Savill 1999)
.002 Create Account: Domain Account

The net user username \password \domain commands in Net can be used to create a domain account.(Citation: Savill 1999)

Enterprise T1070 .005 Indicator Removal: Network Share Connection Removal

The net use \\system\share /delete command can be used in Net to remove an established connection to a network share.(Citation: Technet Net Use)
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Commands such as net group and net localgroup can be used in Net to gather information about and manipulate groups.(Citation: Savill 1999)
.002 Permission Groups Discovery: Domain Groups

Commands such as net group /domain can be used in Net to gather information about and manipulate groups.(Citation: Savill 1999)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Lateral movement can be done with Net through net use commands to connect to the on remote systems.(Citation: Savill 1999)
Enterprise T1569 .002 System Services: Service Execution

The net start and net stop commands can be used in Net to execute or stop Windows services.(Citation: Savill 1999)

Groups That Use This Software
ID Name References
G0019 Naikon

(Citation: Bitdefender Naikon April 2021) (Citation: Baumgartner Naikon 2015)

G0059 Magic Hound

(Citation: DFIR Report APT35 ProxyShell March 2022)

G0082 APT38

(Citation: FireEye APT38 Oct 2018)

G0035 Dragonfly

(Citation: US-CERT TA18-074A)

G0009 Deep Panda

(Citation: Alperovitch 2014)

G0027 Threat Group-3390

(Citation: SecureWorks BRONZE UNION June 2017)

G0049 OilRig

(Citation: Palo Alto OilRig May 2016) (Citation: FireEye APT34 Dec 2017)

G0028 Threat Group-1314

(Citation: Dell TG-1314)

G0007 APT28

(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

G0096 APT41

(Citation: FireEye APT41 Aug 2019)

G0045 menuPass

(Citation: PWC Cloud Hopper Technical Annex April 2017)

G0074 Dragonfly 2.0

(Citation: US-CERT TA18-074A)

G0004 Ke3chang

(Citation: Mandiant Operation Ke3chang November 2014) (Citation: NCC Group APT15 Alive and Strong)

G0065 Leviathan

(Citation: FireEye APT40 March 2019)

G0071 Orangeworm

(Citation: Symantec Orangeworm April 2018)

G0093 GALLIUM

(Citation: Cybereason Soft Cell June 2019)

G0018 admin@338

(Citation: FireEye admin@338)

G0114 Chimera

(Citation: NCC Group Chimera January 2021)

G0006 APT1

(Citation: Mandiant APT1)

G0061 FIN8

(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

G0092 TA505

(Citation: Trend Micro TA505 June 2019)

G0010 Turla

(Citation: Kaspersky Turla)

G0064 APT33

(Citation: Symantec Elfin Mar 2019)

G0102 Wizard Spider

(Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: Sophos New Ryuk Attack October 2020) (Citation: CrowdStrike Ryuk January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020)

G0034 Sandworm Team

(Citation: Dragos Crashoverride 2018)

G0016 APT29

(Citation: CISA SoreFang July 2016)

G0050 APT32

(Citation: Cybereason Cobalt Kitty 2017)

G0060 BRONZE BUTLER

(Citation: Secureworks BRONZE BUTLER Oct 2017)

References

  1. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  2. Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.
  3. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  4. Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.
  5. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  6. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  7. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  8. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  9. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  10. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  11. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  12. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  13. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  14. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  15. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  16. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  17. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  18. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  19. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  20. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  21. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  22. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  23. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  24. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  25. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  26. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  27. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  28. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  29. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  30. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
  31. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  32. Microsoft. (n.d.). Net time. Retrieved November 25, 2016.
  33. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  34. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  35. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  36. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  37. Microsoft. (2017, February 14). Net Commands On Windows Operating Systems. Retrieved March 19, 2020.
  38. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  39. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  40. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  41. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.