net1.exe

net1.exe carries out the operations of the net command. When something runs net user, net group, net use, and most other sub-commands, net.exe parses the request and relaunches net1.exe to perform it. The split is historical, but the effect today is that net1.exe does the real work while net.exe is the front end. The genuine binary lives at C:\Windows\System32\net1.exe, and a net1.exe whose parent is net.exe is completely normal.

Everything net1.exe can do is the same as net.exe, account, group, share, session, and service management, because it is the same functionality. The meaningful difference for triage is how it was started: as a child of net.exe during ordinary use, or directly by some other process.

net1.exe carries the same abuse surface as net.exe: account and group reconnaissance (T1087.002, T1069.002), remote share access for lateral movement (T1021.002), and account creation and privilege grants (T1136.001). See the net.exe profile for the detail.

Its own particular value to an attacker is evasion. Because net.exe normally forwards to net1.exe, some detections only watch net.exe and miss the same command issued directly to net1.exe. A net1.exe with no net.exe parent, running recon or /add commands, is the case to flag, the worker invoked on its own to slip past a rule written for the front end.