1. Blumira Support
  2. Using Blumira
  3. Findings

Quick Links

Investigating "Reconnaissance via Net Commands" findings

Overview

This guide contains helpful tips for investigating “Reconnaissance via Net Commands” findings. These commands are commonly used by attackers to gather information about network resources, users, and system configurations during the discovery phase of an attack. Therefore, this detection is triggered when events indicate that Microsoft’s Net command utility is being used in a manner consistent with reconnaissance techniques.

There are scenarios, such as when RMM tools are being used, where a finding is a false positive, and the activity is safe. Reviewing the log data in Report Builder will help you verify the user and processes associated with command execution, allowing you to determine if the activity was malicious.

Using Report Builder to investigate surrounding activity and related processes

Reference: See Using the Report Builder for more information on building reports.

To investigate the activity that led to the “Reconnaissance via Net Commands” finding, build a report in Report Builder and consider the following:

  • What processes led to the execution of the net commands? Review the process_name and parent_process_name fields.
  • What username is associated with the execution of the commands or the related processes? Review the subject_account_name and user fields.
  • Is this activity expected from the associated user or process?

To build a report and review the events related to this finding, do the following:

  1. In the finding, locate these details, which you will use to filter your report in later steps:
    • the device’s name from the devname field
    • the process IDs and parent process IDs from the process_id and parent_process_id fields
  2. Keeping your finding tab open, open another browser window and navigate to Reporting > Report Builder.
  3. Set Time Range to include the time of the activity that you need to investigate.
  4. In Data Sources select Microsoft Windows and Blumira Agent Endpoint Logs.
  5. Under Selected Columns, add columns to your report, such as those below, to see more information about the related processes:
    • devname
    • device_address
    • domain
    • user
    • process_name
    • process_id
    • command
    • parent_process_name
    • parent_process_id
    • parent.cmdline
    • description
    • windows_event_id
    • subject_account_name
  6. Click Edit Report and then click Add Filter.
  7. Add filters to narrow the results as follows:
    • Add a filter for the device in question. 
      Example: devname - Equal - workstation1
       
    • Add a filter for the process IDs and parent process IDs from the finding, where process_id includes both types of ID values.
      Example: process_id - In - 123 456 789 
  8. Click Submit.

Adding detection filters

RMM tools such as ConnectWise often leverage net commands as part of their normal operations, which can lead to false positives for this detection. If an expected process such as an RMM tool is regularly executing net commands, you may want to add a detection filter similar to the below example to prevent future alerts:

Example: Excluding a net command on a specific device from a known RMM parent process from generating findings:

devname - Equal - Workstation1
AND
command - Equal - Expected net command
AND
parent_process_name - Equal - ExpectedRMMParentProcess.exe

 

Related Articles