heroui logo

Windows Group Discovery Via Net

Splunk Security Content

View Source
Summary
This analytic focuses on the command execution of 'net.exe' with specific command-line arguments used to query global, local, and domain groups in a Windows environment. It utilizes data collected through Endpoint Detection and Response (EDR) agents, particularly analyzing process names and their respective command-line parameters. The detection is critical as it highlights potential reconnaissance activities by threat actors who are inspecting local or domain groups, which is a common phase during Active Directory enumeration and privilege account discovery. Such reconnaissance efforts can lead to attackers obtaining valuable insights regarding the domain infrastructure, thereby facilitating future attacks like privilege escalation or lateral movement within the target environment. This detection rule filters out benign usages of the command that are primarily associated with administrative troubleshooting.
Categories
  • Endpoint
Data Sources
  • Windows Registry
  • Process
  • Application Log
  • Windows Registry
ATT&CK Techniques
  • T1069
  • T1069.001
  • T1069.002
Created: 2025-01-13