Uncommon Net User

The
Uncommon Net User
Analytics alert indicates that the
net user
command was executed on an endpoint.

Synopsis

10 minutes
3 days
14 days
10 minutes
Cortex XDR agent endpoint data
Severity
Varies by activity (High, Medium, or Low).

Description

The net.exe command is used to add, delete, and otherwise manage the users on an endpoint. This command execution is uncommon for this endpoint.

Attacker's Goals

Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.

Recommended For You