Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. tactic: TA0007 ✕ technique: T1136 ✕

Show ATT&CK heatmap
  • Uncommon net group command execution Informational 7 variations

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon unsigned net group administrators command execution

    High overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon unsigned net group administrators command execution - fixed localization issues

    High overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon remote net group administrators command execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon net group administrators command execution

    Medium overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon net group execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon remote net group execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon administrator net group execution by scripting engine or command prompt

    Medium overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

  • Uncommon net localgroup command execution Informational 7 variations

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon net localgroup administrators command execution by a web server process or CGO

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. When executed from a web server, it might be executed from an installed Webshell. overridden

    Uncommon unsigned net localgroup administrators command execution

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon unsigned net localgroup administrators command execution - fixed localization issues

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon net localgroup administrators command execution

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon net localgroup execution

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon remote net localgroup execution

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon administrator net localgroup execution by scripting engine or command prompt

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

  • Uncommon user management via net.exe Informational 1 variation

    The net.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Account Discovery (T1087) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.

    Variations

    Uncommon user management via net.exe by an untrusted CGO

    Low overridden

    The net by an untrusted CGO.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts. overridden