The sub-techniques beta is now live! Read the release blog post for more info.


The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]

Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

ID: S0039
Associated Software: net.exe
Type: TOOL
Platforms: Windows
Contributors: David Ferguson, CyberSponse
Version: 2.0
Created: 31 May 2017
Last Modified: 24 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

Commands under net user can be used in Net to gather information about and manipulate user accounts.[2]

Enterprise T1136 Create Account

The net user username \password and net user username \password \domain commands in Net can be used to create a local or domain account respectively.[2]

Enterprise T1126 Network Share Connection Removal

The net use \system\share /delete command can be used in Net to remove an established connection to a network share.[4]

Enterprise T1135 Network Share Discovery

The net view \remotesystem and net share commands in Net can be used to find shared drives and directories on remote and local systems respectively.[2]

Enterprise T1201 Password Policy Discovery

The net accounts and net accounts /domain commands with Net can be used to obtain password policy information.[2]

Enterprise T1069 Permission Groups Discovery

Commands such as net group and net localgroup can be used in Net to gather information about and manipulate groups.[2]

Enterprise T1018 Remote System Discovery

Commands such as net view can be used in Net to gather information about available remote systems.[2]

Enterprise T1035 Service Execution

The net start and net stop commands can be used in Net to execute or stop Windows services.[2]

Enterprise T1049 System Network Connections Discovery

Commands such as net use and net session can be used in Net to gather information about network connections from a particular host.[2]

Enterprise T1007 System Service Discovery

The net start command can be used in Net to find information about Windows services.[2]

Enterprise T1124 System Time Discovery

The net time command can be used in Net to determine the local or remote system time.[3]

Enterprise T1077 Windows Admin Shares

Lateral movement can be done with Net through net use commands to connect to the on remote systems.[2]

Groups That Use This Software

ID Name References
G0071 Orangeworm [5]
G0045 menuPass [6]
G0019 Naikon [7]
G0027 Threat Group-3390 [8]
G0009 Deep Panda [9]
G0028 Threat Group-1314 [10]
G0018 admin@338 [11]
G0082 APT38 [12]
G0006 APT1 [13]
G0010 Turla [14]
G0050 APT32 [15]
G0074 Dragonfly 2.0 [17]
G0049 OilRig [18] [19]
G0004 Ke3chang [20] [21]
G0061 FIN8 [22]
G0065 Leviathan [23]
G0064 APT33 [24]
G0093 Soft Cell [25]


  1. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  2. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  3. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  4. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  5. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  6. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  7. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  8. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  9. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  10. Plan, F., et all. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  11. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  12. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.