Synopsis
Description
The 'net' group or localgroup command is used to add, display, or modify local or domain-level groups. Adversaries may attempt to use the command to find local or domain-level groups and permissions settings or modify local or domain-level group memberships.
Attacker's Goals
Attackers may attempt to use the command to find local or domain-level groups permissions settings or modify local or domain-level memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Variations
Uncommon unsigned net group administrators command execution
Synopsis
Description
The 'net' group command is used to add, display, or modify domain-level groups. Adversaries may attempt to use the command to find domain-level groups and permissions settings or modify domain-level group memberships.
Attacker's Goals
Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon remote net group administrators command execution
Synopsis
Description
The 'net' group command is used to add, display, or modify domain-level groups. Adversaries may attempt to use the command to find domain-level groups and permissions settings or modify domain-level group memberships.
Attacker's Goals
Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon net group administrators command execution
Synopsis
Description
The 'net' group command is used to add, display, or modify domain-level groups. Adversaries may attempt to use the command to find domain-level groups and permissions settings or modify domain-level group memberships.
Attacker's Goals
Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon net group execution
Synopsis
Description
The 'net' group command is used to add, display, or modify domain-level groups. Adversaries may attempt to use the command to find domain-level groups and permissions settings or modify domain-level group memberships.
Attacker's Goals
Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon remote net group execution
Synopsis
Description
The 'net' group command is used to add, display, or modify domain-level groups. Adversaries may attempt to use the command to find domain-level groups and permissions settings or modify domain-level group memberships.
Attacker's Goals
Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon administrator net group execution by scripting engine or command prompt
Synopsis
Description
The 'net' group command is used to add, display, or modify domain-level groups. Adversaries may attempt to use the command to find domain-level groups and permissions settings or modify domain-level group memberships.
Attacker's Goals
Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon net localgroup administrators command execution by a web server process or CGO
Synopsis
Description
The 'net' localgroup command is used to add, display, or modify local groups. Adversaries may attempt to use the command to find local groups and permissions settings or modify local group memberships. When executed from a web server, it might be executed from an installed Webshell.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon unsigned net localgroup administrators command execution
Synopsis
Description
The 'net' localgroup command is used to add, display, or modify local groups. Adversaries may attempt to use the command to find local groups and permissions settings or modify local group memberships.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon net localgroup administrators command execution
Synopsis
Description
The 'net' localgroup command is used to add, display, or modify local groups. Adversaries may attempt to use the command to find local groups and permissions settings or modify local group memberships.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon net localgroup execution
Synopsis
Description
The 'net' localgroup command is used to add, display, or modify local groups. Adversaries may attempt to use the command to find local groups and permissions settings or modify local group memberships.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon remote net localgroup execution
Synopsis
Description
The 'net' localgroup command is used to add, display, or modify local groups. Adversaries may attempt to use the command to find local groups and permissions settings or modify local group memberships.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.
Uncommon administrator net localgroup execution by scripting engine or command prompt
Synopsis
Description
The 'net' localgroup command is used to add, display, or modify local groups. Adversaries may attempt to use the command to find local groups and permissions settings or modify local group memberships.
Attacker's Goals
Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
Investigative actions
- Check if the queried group is a sensitive one (e.g. administrators).
- Check whether the initiating process has executed additional discovery commands.