Query Details

List net(1).exe discovery activities

Net Discovery Activities

Query

let StartTime = 30d;
DeviceProcessEvents
| where Timestamp > startofday(ago(StartTime))
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS", 
    ProcessCommandLine has "group", "GROUP", 
    ProcessCommandLine has "user", "USER", 
    ProcessCommandLine has "localgroup", "LOCALGROUP", 
    "Other")
| where NetActionType != "Other"
| where isnotempty(AccountUpn)
| summarize TotalEvents = count(), TotalAccountsEvents = countif(NetActionType == "ACCOUNTS"), TotalGroupEvents = countif(NetActionType == "GROUP"), TotalUserEvents = countif(NetActionType == "USER"), TotalLocalGroupEvents = countif(NetActionType == "LOCALGROUP"), ExecutedCommands = make_set(ProcessCommandLine) by AccountUpn

About this query

Explanation

This query is designed to monitor and analyze the usage of the net.exe or net1.exe commands on a network. These commands are often used for network administration tasks, but they can also be used by attackers to gather information about a network. The query focuses on identifying discovery activities related to user accounts, groups, and password policies.

Key Points:

  1. Time Frame: The query looks at events from the past 30 days.

  2. Targeted Commands: It specifically tracks the execution of net.exe or net1.exe with certain parameters:

    • net accounts
    • net group
    • net user
    • net localgroup
  3. Activity Categorization: The query categorizes these activities into four types:

    • ACCOUNTS
    • GROUP
    • USER
    • LOCALGROUP
  4. Data Aggregation: For each user account (identified by AccountUpn), the query counts:

    • Total number of discovery events.
    • Number of events for each category (accounts, group, user, localgroup).
    • The specific commands executed.
  5. Purpose: The results help identify users who perform an unusual number of discovery activities, which could indicate suspicious behavior or potential security threats.

  6. Output: The query provides a summary of these activities per user, including the total number of events and the specific commands used, allowing for further analysis of command-line executions.

This query is useful for security teams to detect and investigate potential misuse of network administration tools for unauthorized discovery activities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsAccountUserGroupLocalCommandLine

Operators

letinextendcasehaswhereisnotemptysummarizecountcountifmake_setby

MITRE Techniques

Actions

GitHub