1. Blumira Support
  2. Using Blumira
  3. Findings

Quick Links

Investigating "Local User Addition or Modification via Net Commands" findings

Overview

This guide provides helpful tips for investigating “Local User Addition or Modification via Net Commands” findings using Report Builder to view logs from a host, as well as recommendations for creating detection filters to suppress noisy findings in Blumira.

Determining whether these are expected user additions or modifications is the main objective. Sometimes these may be explained by processes, scripts, or administrators performing expected functions.

Using Report Builder to analyze the logs

Reference: See Using the Report Builder for more information on building reports.

To review the actions taken on the device, do the following:

  1. Using the device name, create a report, then review the parent.cmdline column for details related to the net commands:
    1. In the finding, locate the device’s name in the devname field, which you will use to filter your report in later steps.
    2. Keeping your finding tab open, open another browser window and navigate to Reporting > Report Builder.
    3. Set Time Range to include the time of the activity that you need to investigate.
    4. In Data Sources, select Microsoft Windows and Blumira Agent Endpoint Logs data sources, if applicable, or to search all logs, click Edit Report, then click Select All Data Sources.
    5. Click Edit Report and then Add Filter.
    6. Add a filter that narrows the report results to the device's logs.
      Example: devname - Equal - device name
    7. Add columns to the report, such as those below, which will provide you with helpful information from the logs:
      • timestamp
      • user
      • command
      • description
      • device_address
      • devname
      • domain
      • windows_event_id
      • event_type
      • parent.cmdline
      • parent_process_id
      • parent_process_name
      • privileges
      • process_id
      • process_name
      • service_name
      • service_type
      • shipping_agent
      • subject_account_name
      • windows_log_source
      • type
      • shipping_agent
    8. Click Submit.
  2. Using the process ID relationships, you can determine the source of the commands:
    1. In the finding, gather the process IDs and parent process IDs from the process_id and parent_process_id fields.
    2. Using the report you built above, add another report filter where the process_id includes any of the process IDs or parent process IDs you gathered from the finding:
      Example:
      devname - Equal - device name 
      AND
      process_id - In - 123 456 
    3. As you investigate, add more parent process ID values to the process_id filter as you go to create a process tree and help highlight process source attribution.
      Note: You may need to expand the custom time range of the report to uncover additional parent process ID values.

Adding detection filters

We recommend creating filters utilizing the most granular details possible. These findings may be generated with varying process names and parent process name details. Most information in the command field of the logs contains details relevant to scripts or recurring processes that may trigger this activity. You can add a filter based on these indicators, such as a specific user listed in the command or specific command-line parameters. Avoid filtering on net, net1, group, or command flags by themselves.

If you determine that it was expected activity that caused the finding, we do not recommend creating a detection filter because this is usually a singular event that is unlikely to cause a repeat finding. If you are confident it will be recurring and can be granularly filtered without introducing risk, then you may consider adding a filter.

Related Articles