Windows Net command executed to enumerate administrators

windows

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1087-account-discovery

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a user runs the net command to enumerate the Administrators group, which could be indicative of adversarial reconnaissance activity.

Strategy

Monitoring of Windows event logs where @evt.id is 4799, @Event.EventData.Data.CallerProcessName is *net1.exe and @Event.EventData.Data.TargetUserName is Administrators.

Triage and response

Verify if {{@Event.EventData.Data.SubjectUserName}} has a legitimate reason to check for users in the Administrator group on {{host}}.

PREVIEWING: drodriguezhdez/add_public_docs_log_summarization