SYSTEM Privileged Net Command Detected

Last updated on: March 10, 2026

In this page

About the rule
Rule journey
Rule Requirement
Detection
Future actions

Rule name	Rule type	Log sources	MITRE ATT&CK tags	Severity
SYSTEM Privileged Net Command Detected	Standard	Windows, Sysmon	Discovery: Account Discovery - Local Account (T1087.001) Discovery: Account Discovery - Domain Account (T1087.002)	Attention

About the rule

Rule Type

Standard

Rule Description

Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It is used in command line operations for control of users, groups, services, and network connections.

Why this rule?

This rule identifies when network commands are executed with SYSTEM-level privileges, which is highly unusual and often indicates malicious activity. Attackers frequently use SYSTEM privileges to perform reconnaissance, establish persistence, or move laterally through a network. Detecting this behavior early helps prevent adversaries from mapping your network infrastructure or escalating their attack.

Severity

Attention

Rule journey

Attack chain scenario

Privilege Escalation → SYSTEM Account Access → Execution → Net Utility Execution → Discovery/Account Manipulation.

Impact

Unauthorized user/group manipulation and network share discovery.

Rule Requirement

Prerequisites

Enable Process Creation auditing (Event ID 4688) or Sysmon Event ID 1. Ensure "Include command line in process creation events" is enabled in Group Policy.

Criteria


                            Action1:
actionname = "Process started" AND ((PROCESSNAME endswith "net.exe,net1.exe" OR ORIGINALFILENAME contains "net.exe,net1.exe") AND (SECURITYID contains "s-1-5-18,s-1-5-19,s-1-5-20" OR INTEGRITYLEVEL contains "system") AND PARENTPROCESSNAME notcontains "net.exe,net1.exe")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Discovery: Account Discovery - Local Account (T1087.001), Discovery: Account Discovery - Domain Account (T1087.002)

Author

@Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

Legitimate system administration scripts or automated software installers running as SYSTEM.

Next Steps

Identification: Verify the parent process to see if the execution was triggered by a known management agent.
Analysis: Examine the command line to determine the intent.
Response: Isolate the host if the activity is unauthorized.

Mitigation

ID	Mitigation	Description
M1028	Operating System Configuration	Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.

Resource Library

Expert Talks

SIEM basics

Cybersecurity glossary

Cloud Security

Academy

Documentation

Integrations