anavem.
High RiskWindowsLegitimateCommonly Abused
net.exeSYSTEM UTILITY

net.exe - Windows Net Command Security Analysis

net.exe is a Windows utility for managing **users, groups, shares, and services**. Attackers use net.exe extensively for **reconnaissance** (net user, net group), **lateral movement** (net use), **persistence** (net user /add), and **credential harvesting**. It is one of the most commonly observed tools in post-exploitation.

Risk Summary

HIGH priority for SOC triage. net.exe is heavily used in attack chains for reconnaissance and lateral movement. Commands like "net user /add", "net localgroup administrators /add", and "net use \\target" are **strong indicators of compromise**.

Overview

What is net.exe?

net.exe is a command-line utility for managing Windows network resources and accounts.

Core Functions

Account Management:

  • User account operations
  • Group membership
  • Password changes

Network Resources:

  • Map network drives
  • Manage shares
  • Connect to remote systems

Service Control:

  • Start/stop services

Security Significance

  • Recon Favorite: User/group enumeration
  • Lateral Movement: Network share access
  • Persistence: Account creation
  • Privilege Escalation: Admin group addition

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\net.exe
Parentcmd.exe, powershell.exe
UserVaries
ContextSystem administration

Legitimate Usage

net use
net view
net time

Common Locations

C:\Windows\System32\net.exeC:\Windows\SysWOW64\net.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Command:     net use Z: \\fileserver\share
             net time \\dc
             net view
Context:     Normal business operations

SUSPICIOUS

Command:     net user hacker P@ssw0rd /add
             net localgroup administrators hacker /add
             net user /domain
             net group "Domain Admins" /domain
             net use \\target\C$ /user:admin pass
Context:     Unexpected reconnaissance
             Account manipulation

High-Risk Commands

CommandRiskPurpose
net user /addCRITICALCreate account
net localgroup administrators /addCRITICALPrivilege escalation
net user /domainHIGHDomain recon
net group "Domain Admins"HIGHAdmin enumeration
net use \target\C$HIGHLateral movement

Abuse Techniques

Attack Techniques

Technique #1: Local Account Creation (T1136.001)

Create Backdoor Account:

net user backdoor P@ssw0rd! /add
net localgroup administrators backdoor /add

Technique #2: Domain Reconnaissance (T1087.002)

Enumerate Domain:

net user /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain

Technique #3: Lateral Movement (T1021.002)

Access Remote Share:

net use \\target\C$ /user:DOMAIN\admin password
net use \\target\IPC$ /user:admin password

Technique #4: Service Manipulation (T1543.003)

net stop WinDefend
net start MaliciousService

Detection Guidance

Detection Strategies

Priority #1: Account Creation/Modification

Process = "net.exe" AND
CommandLine CONTAINS ["user", "/add"] OR ["localgroup", "/add"]
→ ALERT: CRITICAL

Priority #2: Domain Enumeration

Process = "net.exe" AND
CommandLine CONTAINS "/domain"
→ ALERT: HIGH - Domain reconnaissance

Priority #3: Admin Group Modification

Process = "net.exe" AND
CommandLine CONTAINS "administrators" AND "/add"
→ ALERT: CRITICAL - Privilege escalation

Priority #4: Remote Share Access

Process = "net.exe" AND
CommandLine MATCHES "use.*\\\\.*\$"
→ ALERT: HIGH - Admin share access

Sigma Rule:

title: Net.exe Suspicious Activity
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\net.exe'
    CommandLine|contains:
      - 'user /add'
      - 'localgroup administrators'
      - 'group "Domain Admins"'
  condition: selection
level: critical

Remediation Steps

Protection and Remediation

Defense: Monitor net.exe Usage

Log all net.exe executions with command lines.

Defense: Restricted Admin Mode

Enable Restricted Admin for RDP.

If Compromise Suspected

  1. List all user accounts: net user
  2. Check for new accounts
  3. Review group memberships
  4. Check for remote sessions: net session
  5. Review mapped drives: net use
  6. Hunt for persistence

Investigation Checklist

Investigation Checklist

  • Review full command line arguments
  • Check for user/group modifications
  • List all local accounts
  • Review admin group membership
  • Check active sessions
  • Review network share mappings
  • Check for domain enumeration
  • Correlate with other recon activity

MITRE ATT&CK Techniques

T1136.001T1087.002T1087.001T1021.002T1543.003

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026