Mounting Hidden or WebDav Remote Shares via Net.exe
Adversaries may use net.exe to mount WebDav or hidden remote shares, indicating lateral movement or preparation for data exfiltration within a Windows environment.
This threat brief addresses the use of net.exe and net1.exe by attackers to mount WebDav or hidden remote shares on Windows systems. This technique, often employed for lateral movement or data exfiltration preparation, involves leveraging the native Windows networking tool to establish connections to remote resources. Defenders should be aware that threat actors may exploit these legitimate tools to blend in with normal network activity. The detection strategy focuses on identifying specific command patterns associated with mounting hidden or WebDav shares, while excluding benign operations such as share deletion. This activity may lead to unauthorized access to sensitive data or further compromise of the network. The rule was last updated on 2026/04/07.
Attack Chain
- Initial Access: The attacker gains initial access to a Windows system through various means (e.g., phishing, exploiting a vulnerability).
- Account Discovery (T1087): The attacker uses commands to discover available accounts and network resources to identify potential targets for lateral movement.
- Remote Service (T1021.002): The attacker attempts to mount a hidden or WebDav remote share using
net.exeornet1.exe. - Share Discovery: The attacker leverages
net.exewith theuseargument to enumerate available network shares. This is often combined with discovery of hidden shares using specific patterns. - Credentialed Access: Attacker uses compromised credentials (T1078) to authenticate to the remote share if required.
- Lateral Movement: The attacker uses the mounted share to move laterally to other systems on the network.
- Data Exfiltration Preparation: The attacker stages data on the mounted share for subsequent exfiltration.
- Data Exfiltration: The attacker exfiltrates the staged data from the mounted share to an external location.
Impact
A successful attack can lead to unauthorized access to sensitive data, lateral movement within the network, and data exfiltration. The compromise of even a single endpoint can provide a foothold for attackers to expand their reach and steal valuable information. While specific victim counts and sectors are not detailed in the source, the potential impact spans across any organization utilizing Windows-based networks and file-sharing protocols.
Recommendation
- Deploy the "Mounting Hidden or WebDav Remote Shares" rule to your SIEM to detect suspicious
net.exeusage (rule). - Monitor process creation events for the execution of
net.exeornet1.exewith arguments related to mounting network shares (log source). - Implement network segmentation to limit lateral movement and reduce the potential impact of compromised systems (general security practice).
- Investigate and exclude legitimate uses of
net.exefor mounting network drives by internal IP addresses or user accounts to reduce false positives (rule). - Enhance monitoring and alerting for suspicious network activity, including outbound connections that may indicate data exfiltration (general security practice).
- Review and harden account access controls to prevent unauthorized access to network shares (general security practice).
Detection coverage 2
Detect Mounting Hidden or WebDav Remote Shares via Net.exe
mediumDetects the use of net.exe to mount a WebDav or hidden remote share, potentially indicating lateral movement or preparation for data exfiltration.
Detect Mounting Hidden or WebDav Remote Shares via Net1.exe
mediumDetects the use of net1.exe to mount a WebDav or hidden remote share, potentially indicating lateral movement or preparation for data exfiltration.
Detection queries are available on the platform. Get full rules →