Uncommon Net Group Execution

The Cortex XDR – Analytics Uncommon Net Group Execution alert indicates the net group command was used on an endpoint.


10 minutes.
3 days.
14 days.
10 minutes.
Traps endpoint data.


The net group command is used to add, display, or modify domain-level groups.

Attacker's Goals

Attackers may attempt to use the command to find domain-level groups and permissions settings or modify domain-level group memberships.

Related Documentation