Query Details

List all net(1).exe activities on a host

MDE Net Activities

Query

let CompromisedDevice = "azurewin2022";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
//| where DeviceName == CompromisedDevice
| where TimeGenerated > ago(SearchWindow)
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
    ProcessCommandLine has "group", "GROUP",
    ProcessCommandLine has "user", "USER",
    ProcessCommandLine has "localgroup", "LOCALGROUP",
    "Other")
| where NetActionType != "Other"
| project-reorder TimeGenerated, ProcessCommandLine
| sort by TimeGenerated

About this query

List all net(1).exe activities on a host


Defender XDR

let CompromisedDevice = "azurewin2022";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
//| where DeviceName == CompromisedDevice
| where Timestamp > ago(SearchWindow)
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
    ProcessCommandLine has "group", "GROUP",
    ProcessCommandLine has "user", "USER",
    ProcessCommandLine has "localgroup", "LOCALGROUP",
    "Other")
| where NetActionType != "Other"
| project-reorder Timestamp, ProcessCommandLine
| sort by Timestamp

Sentinel

Explanation

This query is designed to identify and list specific activities related to the execution of "net.exe" or "net1.exe" on a particular host, named "azurewin2022", within a specified time window of 48 hours. The query is written for two different platforms, Defender XDR and Sentinel, but performs the same function on both.

Here's a simple breakdown of what the query does:

  1. Define Variables:

    • CompromisedDevice is set to "azurewin2022", which is the name of the host being monitored.
    • SearchWindow is set to 48 hours, meaning the query will look for events that occurred in the last 48 hours.
  2. Filter Events:

    • The query looks at DeviceProcessEvents, which contains records of processes that have run on the device.
    • It filters these events to only include those where the process name is either "net.exe" or "net1.exe".
    • It also ensures that the events occurred within the last 48 hours.
  3. Classify Actions:

    • The query examines the command line arguments used with "net.exe" or "net1.exe" to classify the type of action performed. It checks for specific keywords:
      • "accounts" is classified as "ACCOUNTS"
      • "group" is classified as "GROUP"
      • "user" is classified as "USER"
      • "localgroup" is classified as "LOCALGROUP"
    • Any command line that does not match these keywords is labeled as "Other", but these are filtered out in the next step.
  4. Filter and Sort:

    • The query excludes any actions classified as "Other", focusing only on the specified action types.
    • It rearranges the columns to show the timestamp and command line first.
    • Finally, it sorts the results by the timestamp to present the activities in chronological order.

In summary, this query helps identify and categorize specific network-related actions performed by "net.exe" or "net1.exe" on a specified host within a recent timeframe, aiding in security monitoring and analysis.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsFileNameCommandLineTimestampTimeGenerated

Operators

letincasehasagoextendproject-reordersort bywhere

Actions

GitHub