Windows Net command executed to enumerate administrators

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user runs the net command to enumerate the Administrators group, which could be indicative of adversarial reconnaissance activity.

Strategy

Monitoring of Windows event logs where @evt.id is 4799, @Event.EventData.Data.CallerProcessName is *net1.exe and @Event.EventData.Data.TargetUserName is Administrators.

Triage and response

Verify if {{@Event.EventData.Data.SubjectUserName}} has a legitimate reason to check for users in the Administrator group on {{host}}.

PREVIEWING: rtrieu/product-analytics-ui-changes