Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Variations
Uncommon net localgroup administrators command execution by a web server process or CGO
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. When executed from a web server, it might be executed from an installed Webshell.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon unsigned net localgroup administrators command execution
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon unsigned net localgroup administrators command execution - fixed localization issues
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon net localgroup administrators command execution
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon net localgroup execution
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon remote net localgroup execution
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon administrator net localgroup execution by scripting engine or command prompt
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.