CAR-2020-11-006: Local Permission Group Discovery
Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Permission Groups Discovery | Local Groups, Domain Groups | Discovery | Moderate |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PSA | Process Spawn Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | exe |
| process | create | command_line |
Implementations
Pseudocode - net.exe instances (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
processes = search Process:Create
net_processes = filter processes where (
exe = "net.exe" AND (
command_line="*net* user*" OR
command_line="*net* group*" OR
command_line="*net* localgroup*" OR
command_line="*get-localgroup*" OR
command_line="*get-ADPrincipalGroupMembership*" )
output net_processes
Splunk Search - net.exe instances (Splunk, Sysmon native)
Look for instances of net.exe
(index=__your_sysmon_index__ EventCode=1) Image="C:\\Windows\\System32\\net.exe" AND (CommandLine="* user*" OR CommandLine="* group*" OR CommandLine="* localgroup*" OR CommandLine="*get-localgroup*" OR CommandLine="*get-ADPrincipalGroupMembership*")
LogPoint Search - net.exe instances (Logpoint, LogPoint native)
Look for instances of net.exe
norm_id=WindowsSysmon event_id=1 image="C:\Windows\System32\net.exe" (command="* user*" OR command="* group*" OR command="* localgroup*" OR command="*get-localgroup*" OR command="*get-ADPrincipalGroupMembership*")