Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0007 ✕ technique: T1136 ✕
Show ATT&CK heatmapUncommon net group command execution Informational 7 variations
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon unsigned net group administrators command execution
High overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon unsigned net group administrators command execution - fixed localization issues
High overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon remote net group administrators command execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net group administrators command execution
Medium overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net group execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon remote net group execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon administrator net group execution by scripting engine or command prompt
Medium overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net localgroup command execution Informational 7 variations
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon net localgroup administrators command execution by a web server process or CGO
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. When executed from a web server, it might be executed from an installed Webshell. overridden
Uncommon unsigned net localgroup administrators command execution
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon unsigned net localgroup administrators command execution - fixed localization issues
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup administrators command execution
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup execution
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon remote net localgroup execution
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon administrator net localgroup execution by scripting engine or command prompt
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon user management via net.exe Informational 1 variation
The net.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Account Discovery (T1087) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.Variations
Uncommon user management via net.exe by an untrusted CGO
Low overridden
The net by an untrusted CGO.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts. overridden