Uncommon Net User

Uncommon Net User
Analytics alert indicates that the
net user
command was executed on an endpoint.


10 minutes
3 days
14 days
10 minutes
Cortex XDR agent endpoint data
Varies by activity (High, Medium, or Low).


The net.exe command is used to add, delete, and otherwise manage the users on an endpoint. This command execution is uncommon for this endpoint.

Attacker's Goals

Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.

Recommended For You