Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Permission Groups Discovery Local Groups, Domain Groups Discovery Moderate

Data Model References

Object Action Field
process create exe
process create command_line

Applicable Sensors


Pseudocode - net.exe instances (Pseudocode, CAR native)

This is a pseudocode representation of the below splunk search.

processes = search Process:Create
net_processes = filter processes where (
  exe = "net.exe" AND (
  command_line="*net* user*" OR
  command_line="*net* group*" OR
  command_line="*net* localgroup*" OR
  command_line="*get-localgroup*" OR
  command_line="*get-ADPrincipalGroupMembership*" )
output net_processes

Splunk Search - net.exe instances (Splunk, Sysmon native)

Look for instances of net.exe

(index=__your_sysmon_index__ EventCode=1) Image="C:\\Windows\\System32\\net.exe" AND (CommandLine="* user*" OR CommandLine="* group*" OR CommandLine="* localgroup*" OR CommandLine="*get-localgroup*" OR CommandLine="*get-ADPrincipalGroupMembership*")

LogPoint Search - net.exe instances (Logpoint, LogPoint native)

Look for instances of net.exe

norm_id=WindowsSysmon event_id=1 image="C:\Windows\System32\net.exe" (command="* user*" OR command="* group*" OR command="* localgroup*" OR command="*get-localgroup*" OR command="*get-ADPrincipalGroupMembership*")