Adversaries may enumerate users and groups in a network to identify potential targets for lateral movement, indicating reconnaissance activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of compromise and prevent further network infiltration.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\' and ProcessCommandLine !contains '/add'
| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine contains ' /do' or ProcessCommandLine contains ' /domain')
| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine) | filter Target != ''
| project AccountName, Target, ProcessCommandLine, DeviceName, Timestamp
| sort by AccountName, Target
id: dde6f931-559e-4e21-9409-6286de59771e
name: Enumeration of users & groups for lateral movement
description: |
The query finds attempts to list users or groups using Net commands.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\' and ProcessCommandLine !contains '/add'
| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine contains ' /do' or ProcessCommandLine contains ' /domain')
| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine) | filter Target != ''
| project AccountName, Target, ProcessCommandLine, DeviceName, Timestamp
| sort by AccountName, Target
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using net user to audit user accounts during a routine security review.
Filter/Exclusion: Exclude processes initiated by the Administrators group or users with the audit privilege.
Scenario: A scheduled job runs net group to synchronize group memberships across domain controllers.
Filter/Exclusion: Exclude processes associated with the Scheduled Tasks service or those running under the Domain Admins group.
Scenario: A developer is using net use to map a network drive for accessing shared resources.
Filter/Exclusion: Exclude processes where the command includes net use and the target is a known shared resource (e.g., \\server\share).
Scenario: A helpdesk technician is using net user to reset a user’s password as part of a support ticket.
Filter/Exclusion: Exclude processes initiated by the Helpdesk group or those involving password reset commands like net user username *.
Scenario: A security tool or SIEM is using net group to gather group membership data for correlation with other logs.
Filter/Exclusion: Exclude processes where the command is executed by a known security tool (e.g., Splunk, ELK, or SIEM agent) or from a specific service account.