Uncommon net localgroup Execution

The Uncommon net localgroup Execution alert indicates the net localgroup command was used on an endpoint.


10 minutes.
3 days.
14 days.
10 minutes.
Traps endpoint data.


The net localgroup command is used to add, display, or modify groups local to the endpoint.

Attacker's Goals

Attackers can attempt to use the command to find endpoint groups and permissions settings or modify local group memberships.

Related Documentation