Uncommon net group command execution

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-15

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags
ATT&CK Tactic	Discovery (TA0007) Persistence (TA0003)
ATT&CK Technique	Permission Groups Discovery (T1069) Create Account (T1136)
Severity	Informational

Description

Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

Attacker's Goals

Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Variations

Uncommon unsigned net group administrators command execution

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

Attacker's Goals

Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Uncommon unsigned net group administrators command execution - fixed localization issues

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

Attacker's Goals

Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Uncommon remote net group administrators command execution

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

Attacker's Goals

Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Uncommon net group administrators command execution

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

Attacker's Goals

Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Uncommon net group execution

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

Attacker's Goals

Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Uncommon remote net group execution

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

Attacker's Goals

Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Uncommon administrator net group execution by scripting engine or command prompt

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

Attacker's Goals

Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.