It’s been nearly 4 years since I published my last article in this series providing the community with a large corpora of sandbox reports (apilog_2019-07-14).

One of the less known (but still pretty interesting, artifact-wise) findings inside this 200MB+ file includes a large number of “net user” command invocations that can be attributed to either reconnaissance activities or are basic account creation commands issued by malicious samples…

Yes, when you look at these invocations on an individual sample level they probably don’t stand out too much and don’t have much of an impact, but if you look at them in bulk, they do light up the terminal like a xmas tree…

Let’s have a look!

We execute a ripgrep search on the apilog_2019-07-14 file:

rg -i --iglob apilog_2019-07-14 "net\s+user"

– it is looking for any ‘net user’ case-insensitive string references preserved within this large file. The results give us a lot to think about… but, more importantly, force us to do some time-consuming manual clean up first ;), then finally leading us to the following list…

Do you like what you see?