The Windows net command is an older (but still useful) CLI multitool.
Useful commands for reconnaissance
net users— enumerate all local usersnet user $USER— retrieve information about the local user$USERnet users /domain— enumerate domain usersnet user $USER /domain— retrieve information about the domain user$USERnet group /domain— enumerate domain groupsnet group $GROUP /domain— show members (users only!) of domain group$GROUP(try withDomain Admins!)net localgroup— enumerate local groupsnet localgroup $GROUP— show members of local group$GROUP(try withAdministrators!)net localgroup $GROUP $USER /add— add a member to a local group (useful targets areAdministrators,Backup Operators, andRemote Management Users)net share— list all current shares (including some that are just control processes)
Note that Windows allows for duplicate domain and local users; this is why users get prefixed by the domain or local machine name. Comparing the output of whoami and hostname will reveal if you’re logged in with a local or domain account.
Remember that net group $GROUP /domain doesn’t show which domain groups are members of $GROUP, and thus will miss domain admins whose membership is controlled by a nested group. The only way to retrieve a full list of users in a domain group is to use PowerShell.
Manipulating users and groups
Windows’ net command can be used to manipulate user and group information (iff you already have admin/SYSTEM privileges!). For example:
# Change a user's password
#
net user $USERNAME $PASSWORD
# Add a user to a domain
#
net user $USERNAME /add /domain
# Make a user a domain admin
#
net group "Domain Admins" $USERNAME /add /domain