Uncommon Net User

The Uncommon Net User alert indicates that the net user command was executed on an endpoint.


10 minutes.
3 days.
14 days.
10 minutes.
Traps endpoint data.
Discovery, persistence.


The net.exe command is used to add, delete, and otherwise manage the users on an endpoint. This command execution is uncommon for this endpoint.

Attacker's Goals

Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.

Related Documentation