Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
The 'net localgroup' command is used to add, display, or modify groups local to the host. Adversaries may attempt to use the command to find host groups and permissions settings or modify local group memberships.
Attacker's Goals
Attackers can attempt to use the command to find endpoint groups and permissions settings or modify local group memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.