```yaml title: Privileged Domain Group Enumeration via Net id: edr-win-disc-net-priv-group-enum status: stable description: > Detects net.exe or net1.exe querying privileged domain groups — Domain Admins, Enterprise Admins, ESX Admins, etc. This is one of the first commands executed by virtually every ransomware operator after gaining initial access. Present in Akira, Qilin, SocGholish, Chaos, and Embargo intrusions. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a - https://blog.talosintelligence.com/new-chaos-ransomware/ author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.discovery - attack.t1069.002 logsource: category: process_creation product: windows detection: selection: Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains: 'group' CommandLine|contains: - 'domain admins' - 'domain computers' - 'domain users' - 'domain controllers' - 'enterprise admins' - 'ESX Admins' CommandLine|contains: - '/domain' - '/do' condition: selection falsepositives: - IT administrators auditing group membership (correlate with user context) level: high ```