Query Details

Commandline Group Addition

Query

// Source Sensitive Groups: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/alert-when-a-group-is-added-to-a-sensitive-active-directory/ba-p/3436868
let SensitiveGroupName = pack_array(  // Declare Sensitive Group names. Add any groups that you manually tagged as sensitive
    'Account Operators',
    'Administrators',
    'Domain Admins', 
    'Backup Operators',
    'Domain Controllers',
    'Enterprise Admins',
    'Enterprise Read-only Domain Controllers',
    'Group Policy Creator Owners',
    'Incoming Forest Trust Builders',
    'Microsoft Exchange Servers',
    'Network Configuration Operators',
    'Print Operators',
    'Read-only Domain Controllers',
    'Replicator',
    'Schema Admins',
    'Server Operators'
);
DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "group") 
| extend GroupIsSentitive = iff(ProcessCommandLine has_any (SensitiveGroupName), 1, 0)
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, GroupIsSentitive

About this query

Explanation

This query is designed to detect when a user is added to a group using command-line tools on a system. This action is often used by attackers to gain extra permissions or control over a system or network. The query specifically looks for instances where the command-line tools net.exe or net1.exe are used with the keywords "add" and "group," which indicates an attempt to add a user to a group.

The query also checks if the group being modified is considered sensitive. Sensitive groups include high-privilege groups like 'Administrators', 'Domain Admins', 'Enterprise Admins', and others that have significant control over the system or network. If the command affects any of these sensitive groups, it flags it as such.

The query outputs the timestamp, device name, the command line used, the initiating command line, and whether the group is sensitive. This information helps security teams quickly identify and respond to potential unauthorized changes to group memberships, which could indicate a security breach.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 14, 2025

Tables

DeviceProcessEvents

Keywords

DevicesUsersGroupsProcesses

Operators

letpack_arrayinhas_allextendiffhas_anyproject

MITRE Techniques

Actions

GitHub