Adversaries may use the ‘net’ tool to enumerate users and groups in a Windows environment to gather information about potential targets or privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify reconnaissance activities that could lead to further compromise.
KQL Query
imProcessCreate
| where (CommandLine has ' user ' or CommandLine has ' group ') and (CommandLine hassuffix ' /do' or CommandLine hassuffix ' /domain')
| where Process has 'net.exe' // performance pre-filtering
| extend FileName=tostring(split(Process, '\\')[-1])
| where FileName == 'net.exe' and ActorUsername != "" and CommandLine !contains '\\' and CommandLine !contains '/add'
| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, CommandLine)
| where Target != ''
| summarize minTimeGenerated=min(TimeGenerated), maxTimeGenerated=max(TimeGenerated), count() by ActorUsername, Target, CommandLine, Dvc, EventVendor, EventProduct
| sort by ActorUsername, Target
| extend timestamp = minTimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc
id: 7b3ed03a-7474-4dad-9c6a-92e7b69f6584
name: Enumeration of users and groups (Normalized Process Events)
description: |
'Finds attempts to list users or groups using the built-in Windows 'net' tool '
requiredDataConnectors: []
tactics:
- Discovery
query: |
imProcessCreate
| where (CommandLine has ' user ' or CommandLine has ' group ') and (CommandLine hassuffix ' /do' or CommandLine hassuffix ' /domain')
| where Process has 'net.exe' // performance pre-filtering
| extend FileName=tostring(split(Process, '\\')[-1])
| where FileName == 'net.exe' and ActorUsername != "" and CommandLine !contains '\\' and CommandLine !contains '/add'
| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, CommandLine)
| where Target != ''
| summarize minTimeGenerated=min(TimeGenerated), maxTimeGenerated=max(TimeGenerated), count() by ActorUsername, Target, CommandLine, Dvc, EventVendor, EventProduct
| sort by ActorUsername, Target
| extend timestamp = minTimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc
| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Scenario: A system administrator is using the net user command to audit user accounts during a routine security review.
Filter/Exclusion: Exclude processes initiated by the Administrators group or users with the User Account Management privilege.
Scenario: A scheduled job runs the net group command to synchronize group memberships with an external directory service (e.g., Active Directory).
Filter/Exclusion: Exclude processes associated with scheduled tasks or services known to perform regular synchronization tasks (e.g., ADSync or DSSync).
Scenario: A developer is using the net use command to map a network drive for accessing shared resources.
Filter/Exclusion: Exclude processes initiated by non-administrative users or those involving network drive mapping (e.g., net use with UNC paths).
Scenario: A security tool or SIEM agent runs the net user command to collect user information for logging or monitoring purposes.
Filter/Exclusion: Exclude processes with parent processes related to security tools (e.g., Splunk, ELK, or SIEM agent).
Scenario: A helpdesk technician uses the net user command to reset a user’s password or unlock an account.
Filter/Exclusion: Exclude processes initiated by helpdesk users or those involving password reset tasks (e.g., net user [username] /passwordreq:yes).