Skip to content

S0039 Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. 1

Net has a great deal of functionality, 2 much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Item Value
ID S0039
Associated Names
Type TOOL
Version 2.4
Created 31 May 2017
Last Modified 03 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Commands under net user can be used in Net to gather information about and manipulate user accounts.2
enterprise T1087.002 Domain Account Net commands used with the /domain flag can be used to gather information about and manipulate user accounts on the current domain.3
enterprise T1136 Create Account -
enterprise T1136.001 Local Account The net user username \password commands in Net can be used to create a local account.2
enterprise T1136.002 Domain Account The net user username \password \domain commands in Net can be used to create a domain account.2
enterprise T1070 Indicator Removal -
enterprise T1070.005 Network Share Connection Removal The net use \system\share /delete command can be used in Net to remove an established connection to a network share.4
enterprise T1135 Network Share Discovery The net view \remotesystem and net share commands in Net can be used to find shared drives and directories on remote and local systems respectively.2
enterprise T1201 Password Policy Discovery The net accounts and net accounts /domain commands with Net can be used to obtain password policy information.2
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Commands such as net group and net localgroup can be used in Net to gather information about and manipulate groups.2
enterprise T1069.002 Domain Groups Commands such as net group /domain can be used in Net to gather information about and manipulate groups.2
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Lateral movement can be done with Net through net use commands to connect to the on remote systems.2
enterprise T1018 Remote System Discovery Commands such as net view can be used in Net to gather information about available remote systems.2
enterprise T1049 System Network Connections Discovery Commands such as net use and net session can be used in Net to gather information about network connections from a particular host.2
enterprise T1007 System Service Discovery The net start command can be used in Net to find information about Windows services.2
enterprise T1569 System Services -
enterprise T1569.002 Service Execution The net start and net stop commands can be used in Net to execute or stop Windows services.2
enterprise T1124 System Time Discovery The net time command can be used in Net to determine the local or remote system time.5

Groups That Use This Software

ID Name References
G0027 Threat Group-3390 6
G0059 Magic Hound 87
G0007 APT28 9
G0082 APT38 10
G0096 APT41 11
G0061 FIN8 12
G0071 Orangeworm 13
G0035 Dragonfly 14
G0018 admin@338 15
G0045 menuPass 16
G0004 Ke3chang 1718
G0006 APT1 19
G0034 Sandworm Team 20
G0019 Naikon 2122
G0114 Chimera 23
G0092 TA505 24
G0102 Wizard Spider 26252731293028
G0049 OilRig 3233
G0065 Leviathan 34
G0010 Turla 35
G0009 Deep Panda 36
G0028 Threat Group-1314 37
G0050 APT32 38
G0016 APT29 39
G0093 GALLIUM 40
G0060 BRONZE BUTLER 41
G0064 APT33 42

References

  1. Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015. 

  2. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015. 

  3. Microsoft. (2017, February 14). Net Commands On Windows Operating Systems. Retrieved March 19, 2020. 

  4. Microsoft. (n.d.). Net Use. Retrieved November 25, 2016. 

  5. Microsoft. (n.d.). Net time. Retrieved November 25, 2016. 

  6. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. 

  7. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  8. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  9. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  10. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. 

  11. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  12. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  13. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. 

  14. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  15. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. 

  16. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  17. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. 

  18. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  19. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  20. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. 

  21. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  22. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  23. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  24. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. 

  25. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. 

  26. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  27. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  28. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. 

  29. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  30. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020. 

  31. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  32. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  33. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  34. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. 

  35. Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. 

  36. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014. 

  37. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016. 

  38. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  39. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. 

  40. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  41. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  42. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.