Windows Net command executed to enumerate administrators

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a user runs the net command to enumerate the Administrators group, which could be indicative of adversarial reconnaissance activity.

Strategy

Monitoring of Windows event logs where @evt.id is 4799, @Event.EventData.Data.CallerProcessName is *net1.exe and @Event.EventData.Data.TargetUserName is Administrators.

Triage and response

Verify if {{@Event.EventData.Data.SubjectUserName}} has a legitimate reason to check for users in the Administrator group on {{host}}.