Uncommon net group command execution

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-01-04

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Permission Groups Discovery (T1069)
Severity	Informational

Description

Uncommon net group command execution.

Attacker's Goals

Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Variations

Uncommon unsigned net group administrators command execution

Synopsis

ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Permission Groups Discovery (T1069)
Severity	High

Description

Uncommon net group command execution.

Attacker's Goals

Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Uncommon remote net group administrators command execution

Synopsis

ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Permission Groups Discovery (T1069)
Severity	Low

Description

Uncommon net group command execution.

Attacker's Goals

Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Uncommon net group administrators command execution

Synopsis

ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Permission Groups Discovery (T1069)
Severity	Medium

Description

Uncommon net group command execution.

Attacker's Goals

Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Uncommon net group execution

Synopsis

ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Permission Groups Discovery (T1069)
Severity	Low

Description

Uncommon net group command execution.

Attacker's Goals

Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Uncommon remote net group execution

Synopsis

ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Permission Groups Discovery (T1069)
Severity	Low

Description

Uncommon net group command execution.

Attacker's Goals

Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.

Uncommon administrator net group execution by scripting engine or command prompt

Synopsis

ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Permission Groups Discovery (T1069)
Severity	Medium

Description

Uncommon net group command execution.

Attacker's Goals

Attackers may attempt to use the command to find domain-level groups permissions settings or modify domain-level memberships.

Investigative actions

Check if the queried group is a sensitive one (e.g. administrators).
Check whether the initiating process has executed additional discovery commands.