Create local admin accounts using net.exe

Description

This search looks for the creation of local administrator accounts using net.exe.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Malware

Alert Volume

Medium (?)

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Execution
Persistence

MITRE ATT&CK Techniques

Command and Scripting Interpreter

MITRE Threat Groups

APT19
APT32
APT39
Dragonfly 2.0
FIN5
FIN6
FIN7
Ke3chang
Molerats
OilRig
Stealth Falcon
Whitefly

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Create local admin accounts using net.exe Help

Net.exe is a built-in Windows command-line tool that can be used to add, display, or modify user accounts. While Microsoft administrators use this tool to manage user groups, threat actors often leverage it to create local admin accounts to maintain persistence. In this search, we are looking for the execution of process net.exe with command-line parameters such as localgroup, add, or user that may correspond to the creation of local admin accounts or setting user/group properties.