Windows Net command executed to enumerate administrators

Goal

Detect when a user runs the net command to enumerate the Administrators group, which could be indicative of adversarial reconnaissance activity.

Strategy

Monitoring of Windows event logs where @evt.id is 4799, @Event.EventData.Data.CallerProcessName is *net1.exe and @Event.EventData.Data.TargetUserName is Administrators.

Triage and response

Verify if {{@Event.EventData.Data.SubjectUserName}} has a legitimate reason to check for users in the Administrator group on {{host}}.

PREVIEWING: mervebolat/span-id-preprocessing