List net(1).exe discovery activities
Net Discovery Activities
Query
let StartTime = 30d;
DeviceProcessEvents
| where Timestamp > startofday(ago(StartTime))
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
ProcessCommandLine has "group", "GROUP",
ProcessCommandLine has "user", "USER",
ProcessCommandLine has "localgroup", "LOCALGROUP",
"Other")
| where NetActionType != "Other"
| where isnotempty(AccountUpn)
| summarize TotalEvents = count(), TotalAccountsEvents = countif(NetActionType == "ACCOUNTS"), TotalGroupEvents = countif(NetActionType == "GROUP"), TotalUserEvents = countif(NetActionType == "USER"), TotalLocalGroupEvents = countif(NetActionType == "LOCALGROUP"), ExecutedCommands = make_set(ProcessCommandLine) by AccountUpnAbout this query
Explanation
This query is designed to monitor and analyze the usage of the net.exe or net1.exe commands on a network. These commands are often used for network administration tasks, but they can also be used by attackers to gather information about a network. The query focuses on identifying discovery activities related to user accounts, groups, and password policies.
Key Points:
-
Time Frame: The query looks at events from the past 30 days.
-
Targeted Commands: It specifically tracks the execution of
net.exeornet1.exewith certain parameters:net accountsnet groupnet usernet localgroup
-
Activity Categorization: The query categorizes these activities into four types:
- ACCOUNTS
- GROUP
- USER
- LOCALGROUP
-
Data Aggregation: For each user account (identified by
AccountUpn), the query counts:- Total number of discovery events.
- Number of events for each category (accounts, group, user, localgroup).
- The specific commands executed.
-
Purpose: The results help identify users who perform an unusual number of discovery activities, which could indicate suspicious behavior or potential security threats.
-
Output: The query provides a summary of these activities per user, including the total number of events and the specific commands used, allowing for further analysis of command-line executions.
This query is useful for security teams to detect and investigate potential misuse of network administration tools for unauthorized discovery activities.
