T1069.002

Domain Groups

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Commands such as net group /domain, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups. Tools such as BloodHound, AdFind, and AD Explorer are also commonly used for this purpose by threat actors including OilRig, FIN7, Volt Typhoon, LAPSUS$, and ToddyCat.

Microsoft Sentinel / Defender

kusto

let DomainGroupCommands = dynamic([
  "net group", "net localgroup /domain",
  "Get-ADGroup", "Get-ADGroupMember",
  "dsquery group", "dsget group",
  "adfind", "AdFind",
  "ldapsearch",
  "dscacheutil",
  "Get-DomainGroup", "Get-NetGroup",
  "PowerView",
  "System.DirectoryServices",
  "DirectorySearcher",
  "samAccountType",
  "objectClass=group"
]);
let SuspiciousTools = dynamic([
  "adfind.exe", "AdFind.exe",
  "SharpHound.exe", "bloodhound.exe",
  "ADExplorer.exe", "adexplorer64.exe",
  "ldapsearch"
]);
let NetGroupEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "net.exe" or FileName =~ "net1.exe"
| where ProcessCommandLine has "group" and (
    ProcessCommandLine has "/domain" or
    ProcessCommandLine has "domain admins" or
    ProcessCommandLine has "enterprise admins" or
    ProcessCommandLine has "domain controllers" or
    ProcessCommandLine has "schema admins" or
    ProcessCommandLine has "group policy creator"
  )
| extend DetectionSource = "net group /domain";
let PowerShellADEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Get-ADGroup", "Get-ADGroupMember", "Get-DomainGroup", "Get-NetGroup", "DirectorySearcher", "objectClass=group", "samAccountType")
| extend DetectionSource = "PowerShell AD Group Enumeration";
let ToolBasedEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (SuspiciousTools)
| extend DetectionSource = "Known AD Enumeration Tool";
let DSQueryEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("dsquery.exe", "dsget.exe")
| where ProcessCommandLine has "group"
| extend DetectionSource = "dsquery/dsget group enumeration";
union NetGroupEvents, PowerShellADEvents, ToolBasedEvents, DSQueryEvents
| extend IsElevatedContext = AccountName in~ ("Administrator", "SYSTEM") or InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| extend TargetingPrivilegedGroups = ProcessCommandLine has_any ("domain admins", "enterprise admins", "schema admins", "administrators", "domain controllers")
| project Timestamp, DeviceName, AccountName, AccountDomain, FileName,
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, DetectionSource, IsElevatedContext, TargetingPrivilegedGroups
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running legitimate Active Directory audits or health checks using net group or PowerShell AD cmdlets
Helpdesk staff using AD management tools to look up group memberships when resolving user access issues
Monitoring and SIEM agents (e.g., Microsoft Defender for Identity, CrowdStrike Falcon) performing scheduled AD enumeration as part of their normal operation
Automated scripts used during onboarding or offboarding processes that check group membership to provision or deprovision access
Vulnerability scanners and compliance tools (e.g., Tenable, Qualys) that enumerate AD groups as part of their assessment scope

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval Image=coalesce(Image, NewProcessName)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
| eval IsNetGroup=if(match(ImageLower, "(\\\\net\.exe|\\\\net1\.exe)") AND match(CommandLineLower, "group") AND match(CommandLineLower, "(/domain|domain admins|enterprise admins|schema admins|domain controllers|group policy)"), 1, 0)
| eval IsPowerShellAD=if(match(ImageLower, "(\\\\powershell\.exe|\\\\pwsh\.exe)") AND match(CommandLineLower, "(get-adgroup|get-adgroupmember|get-domaingroup|get-netgroup|directorysearcher|objectclass=group|samaccounttype)"), 1, 0)
| eval IsADTool=if(match(ImageLower, "(adfind\.exe|sharphound\.exe|bloodhound\.exe|adexplorer\.exe|adexplorer64\.exe)"), 1, 0)
| eval IsDSQuery=if(match(ImageLower, "(\\\\dsquery\.exe|\\\\dsget\.exe)") AND match(CommandLineLower, "group"), 1, 0)
| eval IsLDAPSearch=if(match(CommandLineLower, "(ldapsearch|ldap.*objectclass.*group)"), 1, 0)
| eval DetectionScore=IsNetGroup + IsPowerShellAD + IsADTool + IsDSQuery + IsLDAPSearch
| where DetectionScore > 0
| eval TargetingPrivilegedGroup=if(match(CommandLineLower, "(domain admins|enterprise admins|schema admins|administrators|domain controllers|group policy creator)"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "(wscript\.exe|cscript\.exe|mshta\.exe|winword\.exe|excel\.exe|outlook\.exe|powerpnt\.exe|cmd\.exe)"), 1, 0)
| eval DetectionMethod=case(IsNetGroup=1, "net group /domain", IsPowerShellAD=1, "PowerShell AD Enumeration", IsADTool=1, "Known AD Enumeration Tool", IsDSQuery=1, "dsquery/dsget group", IsLDAPSearch=1, "LDAP Group Search", true(), "Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, DetectionMethod, TargetingPrivilegedGroup, SuspiciousParent, DetectionScore
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators running legitimate Active Directory audits or health checks using net group or PowerShell AD cmdlets
Helpdesk staff using AD management tools to look up group memberships when resolving user access issues
Monitoring and SIEM agents performing scheduled AD enumeration as part of their normal operation
Automated scripts used during onboarding or offboarding processes that check group membership to provision or deprovision access
Vulnerability scanners and compliance tools that enumerate AD groups as part of their assessment scope

Elastic Security (EQL)

eql

process where event.type == "start" and (
  (
    process.name in~ ("net.exe", "net1.exe") and
    process.command_line like~ "* group *" and
    (
      process.command_line like~ "*/domain*" or
      process.command_line like~ "*domain admins*" or
      process.command_line like~ "*enterprise admins*" or
      process.command_line like~ "*schema admins*" or
      process.command_line like~ "*domain controllers*" or
      process.command_line like~ "*group policy*"
    )
  ) or
  (
    process.name in~ ("powershell.exe", "pwsh.exe") and
    (
      process.command_line like~ "*Get-ADGroup*" or
      process.command_line like~ "*Get-ADGroupMember*" or
      process.command_line like~ "*Get-DomainGroup*" or
      process.command_line like~ "*Get-NetGroup*" or
      process.command_line like~ "*DirectorySearcher*" or
      process.command_line like~ "*objectClass=group*" or
      process.command_line like~ "*samAccountType*"
    )
  ) or
  process.name in~ ("adfind.exe", "sharphound.exe", "bloodhound.exe", "adexplorer.exe", "adexplorer64.exe") or
  (
    process.name in~ ("dsquery.exe", "dsget.exe") and
    process.command_line like~ "*group*"
  )
)

medium severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.process) Winlogbeat with Sysmon (event.code: 1) Winlogbeat Security Events (event.code: 4688) Elastic Agent process integration

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-windows.sysmon_operational-*

False Positives

Active Directory administrators running Get-ADGroup or Get-ADGroupMember as part of routine account provisioning or access reviews
IT helpdesk staff running net group /domain to verify user group membership when troubleshooting access issues
Authorized security tools such as Tenable AD, Varonis, or CyberArk that enumerate domain groups for RBAC auditing and access certification campaigns
Scheduled scripts or monitoring agents (e.g., SolarWinds, ManageEngine ADManager) that periodically enumerate AD groups for reporting dashboards

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  sourceip AS SourceIP,
  username AS UserName,
  "devicehostname" AS Hostname,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcess,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER("Image") LIKE '%\\net.exe' OR LOWER("Image") LIKE '%\\net1.exe' THEN 'net group /domain'
    WHEN LOWER("Image") LIKE '%\\powershell.exe' OR LOWER("Image") LIKE '%\\pwsh.exe' THEN 'PowerShell AD Enumeration'
    WHEN LOWER("Image") LIKE '%adfind.exe' OR LOWER("Image") LIKE '%sharphound.exe' OR LOWER("Image") LIKE '%bloodhound.exe' THEN 'Known AD Enumeration Tool'
    WHEN LOWER("Image") LIKE '%\\dsquery.exe' OR LOWER("Image") LIKE '%\\dsget.exe' THEN 'dsquery/dsget group'
    ELSE 'Unknown'
  END AS DetectionMethod,
  CASE
    WHEN LOWER("CommandLine") LIKE '%domain admins%'
      OR LOWER("CommandLine") LIKE '%enterprise admins%'
      OR LOWER("CommandLine") LIKE '%schema admins%'
      OR LOWER("CommandLine") LIKE '%domain controllers%'
      OR LOWER("CommandLine") LIKE '%group policy creator%'
    THEN 1 ELSE 0
  END AS TargetingPrivilegedGroup
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 191, 396)
  AND (
    (
      (LOWER("Image") LIKE '%\\net.exe' OR LOWER("Image") LIKE '%\\net1.exe')
      AND LOWER("CommandLine") LIKE '% group %'
      AND (
        LOWER("CommandLine") LIKE '%/domain%' OR
        LOWER("CommandLine") LIKE '%domain admins%' OR
        LOWER("CommandLine") LIKE '%enterprise admins%' OR
        LOWER("CommandLine") LIKE '%schema admins%' OR
        LOWER("CommandLine") LIKE '%domain controllers%' OR
        LOWER("CommandLine") LIKE '%group policy%'
      )
    ) OR (
      (LOWER("Image") LIKE '%\\powershell.exe' OR LOWER("Image") LIKE '%\\pwsh.exe')
      AND (
        LOWER("CommandLine") LIKE '%get-adgroup%' OR
        LOWER("CommandLine") LIKE '%get-adgroupmember%' OR
        LOWER("CommandLine") LIKE '%get-domaingroup%' OR
        LOWER("CommandLine") LIKE '%get-netgroup%' OR
        LOWER("CommandLine") LIKE '%directorysearcher%' OR
        LOWER("CommandLine") LIKE '%objectclass=group%' OR
        LOWER("CommandLine") LIKE '%samaccounttype%'
      )
    ) OR
      LOWER("Image") LIKE '%adfind.exe' OR
      LOWER("Image") LIKE '%sharphound.exe' OR
      LOWER("Image") LIKE '%bloodhound.exe' OR
      LOWER("Image") LIKE '%adexplorer.exe' OR
      LOWER("Image") LIKE '%adexplorer64.exe'
    OR (
      (LOWER("Image") LIKE '%\\dsquery.exe' OR LOWER("Image") LIKE '%\\dsget.exe')
      AND LOWER("CommandLine") LIKE '% group%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

medium severity high confidence

Data Sources

Microsoft Windows Security Event Log (EventCode 4688) Sysmon Operational Log (EventCode 1) QRadar DSM for Microsoft Windows QRadar DSM for Sysmon

Required Tables

events

False Positives

Active Directory auditing scripts run by IT operations that enumerate domain groups for compliance reporting or ITSM change management workflows
Enterprise identity governance platforms (SailPoint, Saviynt, One Identity) that regularly query domain group membership to detect toxic combinations and certify access
Helpdesk automation tools running PowerShell Get-ADGroup against a service account to display user group memberships during password reset or access request workflows
Security scanning platforms (Tenable.ad, Semperis) legitimately enumerating group memberships for attack path analysis and exposure scoring

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winevent*)
| where %"EventCode" in ("1", "4688") OR EventCode in (1, 4688)
| eval CommandLine = if (!isNull(%"CommandLine"), %"CommandLine", if (!isNull(%"ProcessCommandLine"), %"ProcessCommandLine", ""))
| eval Image = if (!isNull(%"Image"), toLower(%"Image"), if (!isNull(%"NewProcessName"), toLower(%"NewProcessName"), ""))
| eval ParentImage = if (!isNull(%"ParentImage"), toLower(%"ParentImage"), if (!isNull(%"ParentProcessName"), toLower(%"ParentProcessName"), ""))
| eval CommandLineLower = toLower(CommandLine)
| eval IsNetGroup = if(
    (Image matches "*\\net.exe" OR Image matches "*\\net1.exe")
    AND CommandLineLower matches "* group *"
    AND (
      CommandLineLower matches "*/domain*" OR
      CommandLineLower matches "*domain admins*" OR
      CommandLineLower matches "*enterprise admins*" OR
      CommandLineLower matches "*schema admins*" OR
      CommandLineLower matches "*domain controllers*" OR
      CommandLineLower matches "*group policy*"
    ), 1, 0)
| eval IsPowerShellAD = if(
    (Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe")
    AND (
      CommandLineLower matches "*get-adgroup*" OR
      CommandLineLower matches "*get-adgroupmember*" OR
      CommandLineLower matches "*get-domaingroup*" OR
      CommandLineLower matches "*get-netgroup*" OR
      CommandLineLower matches "*directorysearcher*" OR
      CommandLineLower matches "*objectclass=group*" OR
      CommandLineLower matches "*samaccounttype*"
    ), 1, 0)
| eval IsADTool = if(
    Image matches "*adfind.exe" OR
    Image matches "*sharphound.exe" OR
    Image matches "*bloodhound.exe" OR
    Image matches "*adexplorer.exe" OR
    Image matches "*adexplorer64.exe", 1, 0)
| eval IsDSQuery = if(
    (Image matches "*\\dsquery.exe" OR Image matches "*\\dsget.exe")
    AND CommandLineLower matches "*group*", 1, 0)
| eval DetectionScore = IsNetGroup + IsPowerShellAD + IsADTool + IsDSQuery
| where DetectionScore > 0
| eval DetectionMethod = if(IsNetGroup = 1, "net group /domain",
    if(IsPowerShellAD = 1, "PowerShell AD Enumeration",
    if(IsADTool = 1, "Known AD Enumeration Tool",
    if(IsDSQuery = 1, "dsquery/dsget group", "Unknown"))))
| eval TargetingPrivilegedGroup = if(
    CommandLineLower matches "*domain admins*" OR
    CommandLineLower matches "*enterprise admins*" OR
    CommandLineLower matches "*schema admins*" OR
    CommandLineLower matches "*domain controllers*" OR
    CommandLineLower matches "*group policy creator*", "true", "false")
| eval SuspiciousParent = if(
    ParentImage matches "*wscript.exe" OR
    ParentImage matches "*cscript.exe" OR
    ParentImage matches "*mshta.exe" OR
    ParentImage matches "*winword.exe" OR
    ParentImage matches "*excel.exe" OR
    ParentImage matches "*outlook.exe", "true", "false")
| fields _time, %"host", %"User", Image, CommandLine, ParentImage, DetectionMethod, TargetingPrivilegedGroup, SuspiciousParent, DetectionScore
| sort by _time desc

medium severity high confidence

Data Sources

Windows Security Event Log (EventCode 4688) via Sumo Logic Windows collector Sysmon Operational Log (EventCode 1) via Sumo Logic installed collector Sumo Logic Cloud SIEM Enterprise normalized process events

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

System administrators using Get-ADGroup or Get-ADGroupMember in PowerShell scripts during user onboarding, offboarding, or access reviews in Change Management windows
Authorized penetration testing or Red Team exercises using AdFind, SharpHound, or BloodHound against the Active Directory environment with written authorization
Enterprise identity management platforms (CyberArk, BeyondTrust, Saviynt) that enumerate domain group memberships as part of privileged access certification workflows
Helpdesk tooling that invokes net group /domain to look up group membership during Tier 1 support calls

Google Chronicle / SecOps

yaral

rule t1069_002_domain_group_enumeration {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1069.002 domain group enumeration via net group /domain, PowerShell AD cmdlets (Get-ADGroup, Get-DomainGroup, DirectorySearcher), known AD recon tools (AdFind, SharpHound, BloodHound, ADExplorer), and dsquery/dsget group commands."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1069.002"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1069/002/"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-17"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)[\\\\|\/](net|net1)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\bgroup\b`) and
        re.regex($e.target.process.command_line, `(?i)(\/domain\b|domain[\s]+admins|enterprise[\s]+admins|schema[\s]+admins|domain[\s]+controllers|group[\s]+policy)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)[\\\\|\/](powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(Get-ADGroup|Get-ADGroupMember|Get-DomainGroup|Get-NetGroup|DirectorySearcher|objectClass=group|samAccountType)`)
      ) or
      re.regex($e.target.process.file.full_path, `(?i)(adfind|sharphound|bloodhound|ADExplorer|adexplorer64)\.exe$`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)[\\\\|\/](dsquery|dsget)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\bgroup\b`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle UDM PROCESS_LAUNCH events from Windows endpoints Chronicle Forwarder with Windows Event Log (EventCode 4688) Chronicle Forwarder with Sysmon (EventCode 1) CrowdStrike Falcon Chronicle integration Microsoft Defender for Endpoint Chronicle integration

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Active Directory administrators running net group /domain or PowerShell AD cmdlets from privileged workstations (PAWs) during authorized access management tasks
IT automation platforms (Ansible, Chef, Puppet, ServiceNow) using PowerShell remoting to query AD groups as part of role-based provisioning workflows
Legitimate deployment of BloodHound or SharpHound by authorized red team or purple team operators during scheduled security assessment engagements
Identity governance tools scanning domain groups for quarterly access certifications and toxic combination analysis

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(\\net\.exe|\\net1\.exe|\\powershell\.exe|\\pwsh\.exe|adfind\.exe|sharphound\.exe|bloodhound\.exe|adexplorer\.exe|adexplorer64\.exe|\\dsquery\.exe|\\dsget\.exe)$/
| eval ImageLower = lowercase(ImageFileName)
| eval CmdLower = lowercase(CommandLine)
| eval IsNetGroup = if(
    ImageLower = /(\\net\.exe|\\net1\.exe)$/ AND
    CmdLower = /\bgroup\b/ AND
    CmdLower = /(\/domain\b|domain admins|enterprise admins|schema admins|domain controllers|group policy)/,
    "true", "false")
| eval IsPowerShellAD = if(
    ImageLower = /(\\powershell\.exe|\\pwsh\.exe)$/ AND
    CmdLower = /(get-adgroup|get-adgroupmember|get-domaingroup|get-netgroup|directorysearcher|objectclass=group|samaccounttype)/,
    "true", "false")
| eval IsADTool = if(
    ImageLower = /(adfind\.exe|sharphound\.exe|bloodhound\.exe|adexplorer\.exe|adexplorer64\.exe)$/,
    "true", "false")
| eval IsDSQuery = if(
    ImageLower = /(\\dsquery\.exe|\\dsget\.exe)$/ AND
    CmdLower = /\bgroup\b/,
    "true", "false")
| where IsNetGroup = "true" OR IsPowerShellAD = "true" OR IsADTool = "true" OR IsDSQuery = "true"
| eval DetectionMethod = case(
    IsNetGroup = "true",    "net group /domain",
    IsPowerShellAD = "true", "PowerShell AD Enumeration",
    IsADTool = "true",       "Known AD Enumeration Tool",
    IsDSQuery = "true",      "dsquery/dsget group",
    default="Unknown")
| eval TargetingPrivilegedGroup = if(
    CmdLower = /(domain admins|enterprise admins|schema admins|domain controllers|group policy creator)/,
    "true", "false")
| eval SuspiciousParent = if(
    lowercase(ParentBaseFileName) = /(wscript\.exe|cscript\.exe|mshta\.exe|winword\.exe|excel\.exe|outlook\.exe|powerpnt\.exe)/,
    "true", "false")
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionMethod, TargetingPrivilegedGroup, SuspiciousParent], function=count(as=EventCount))
| sort(field=@timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon sensor ProcessRollup2 events Falcon Data Replicator (FDR) process execution telemetry Humio/LogScale ingest from Falcon streaming API

Required Tables

#event_simpleName = ProcessRollup2

False Positives

IT administrators using PowerShell AD cmdlets (Get-ADGroup, Get-ADGroupMember) from privileged admin workstations during change management windows for user access provisioning or group membership audits
Authorized security assessment teams running SharpHound or BloodHound during scheduled red team or purple team exercises with documented scope of work
Enterprise identity governance platforms (Saviynt, SailPoint, One Identity) running as Windows services that enumerate domain groups for continuous access certification and RBAC enforcement
Monitoring agents or SIEM connectors (e.g., LogRhythm System Monitor, Splunk UF with AD scripted inputs) invoking net group or dsquery to collect AD telemetry

Last updated: 2026-04-17 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1069.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Domain Groups

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Discovery

Popular Detections