Mounting of Hidden or WebDav Remote Shares via Net Utility

The threat involves the abuse of the legitimate Windows net.exe utility to mount remote shares, including hidden (e.g., administrative shares) and WebDav shares. This activity may signal lateral movement within a network, preparation for data exfiltration, or initial access through reconnaissance of available network resources. The detection focuses on identifying specific command-line patterns used with net.exe to mount these shares. While the primary data source for the detection rule is Elastic Defend, it also supports data from CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs. This activity can be masked within normal administrative functions, so tuning and baselining are important.

Attack Chain

1. An attacker gains initial access to a compromised system through various means (e.g., phishing, exploiting a vulnerability).
2. The attacker executes net.exe or net1.exe to discover available network shares, identifying potential targets for lateral movement or data exfiltration.
3. The attacker uses net.exe to attempt to mount a hidden or WebDav share, often using stolen credentials or exploiting existing permissions. The command includes use and specifies a share path like \\\\<server>\<share> or http(s)://<server>/<share>.
4. If successful, the attacker gains access to the remote share, potentially browsing its contents to identify valuable data or resources.
5. The attacker copies sensitive data from the remote share to the compromised system.
6. The attacker stages the exfiltrated data on the compromised system, preparing it for transfer to an external location.
7. The attacker uses another tool or protocol (e.g., FTP, SCP, web upload) to exfiltrate the data to a destination controlled by the attacker.
8. The attacker cleans up any traces of their activity on the compromised system and the remote share, attempting to avoid detection.

Impact

Successful exploitation could lead to unauthorized access to sensitive data, lateral movement to other systems, and ultimately, data exfiltration. The mounting of hidden shares gives the attacker the ability to move laterally and escalate their privileges. Depending on the data stored on the shares, data breaches and financial losses are possible. Targeted sectors are broad, as net.exe is a standard Windows utility.

Recommendation

• Deploy the “Mounting Hidden or WebDav Remote Shares” rule to your SIEM, tuning it for your environment to minimize false positives and detect suspicious activity.
• Enable Sysmon process creation logging (Event ID 1) to capture detailed information about process executions, including net.exe and its command-line arguments as outlined in the rule description.
• Investigate and validate any alerts generated by the “Mounting Hidden or WebDav Remote Shares” rule, focusing on the process details, arguments, and associated user accounts, as suggested in the rule’s triage and analysis section.
• Implement network segmentation to limit lateral movement possibilities, mitigating the potential impact of successful share mounting as mentioned in the response and remediation steps.