Detect net(1).exe Discovery Activities
Net Discovery Activities Detected
Query
let StartTime = 2d;
let BinFormat = 1d;
let Threshold = 10;
DeviceProcessEvents
| where Timestamp > startofday(ago(StartTime))
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
ProcessCommandLine has "group", "GROUP",
ProcessCommandLine has "user", "USER",
ProcessCommandLine has "localgroup", "LOCALGROUP",
"Other")
| where NetActionType != "Other"
| where isnotempty(AccountUpn)
| summarize TotalEvents = count(), TotalAccountsEvents = countif(NetActionType == "ACCOUNTS"), TotalGroupEvents = countif(NetActionType == "GROUP"), TotalUserEvents = countif(NetActionType == "USER"), TotalLocalGroupEvents = countif(NetActionType == "LOCALGROUP"), ExecutedCommands = make_set(ProcessCommandLine), LastEvent = arg_max(Timestamp, *), FirstEvent = arg_min(Timestamp, *) by AccountUpn, bin(Timestamp, BinFormat)
| where TotalEvents >= Threshold
| project-reorder FirstEvent, LastEvent, TotalEvents, TotalAccountsEvents, TotalGroupEvents, TotalLocalGroupEvents, TotalUserEvents, ExecutedCommandsAbout this query
Explanation
This query is designed to detect suspicious activities involving the use of net.exe or net1.exe commands, which are often used for network discovery tasks. The query focuses on identifying unusual patterns of these commands being executed by user accounts, which could indicate malicious behavior, such as an attacker trying to gather information about the network for further exploitation.
Here's a simple breakdown of what the query does:
- Timeframe: It looks at events from the last two days by default.
- Command Detection: It specifically checks for the execution of
net.exeornet1.exewith certain parameters:accounts,group,user, andlocalgroup. - Event Counting: It counts how many times each of these parameters is used by each user account.
- Threshold for Alerts: If a user account executes these commands 10 times or more in a day, it flags this as suspicious.
- Command Details: It also collects the exact commands executed for further analysis.
- Exclusions: You can exclude certain accounts from this detection, such as those belonging to service desk employees who might legitimately use these commands frequently.
The goal is to identify potential unauthorized network discovery activities, which could be a precursor to more serious security incidents.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsAccountUserGroupLocalExecutedCommandsTimestampTimeGenerated
Operators
letagostartofdayinextendcasehasisnotemptysummarizecountcountifmake_setarg_maxarg_minbybinwhereproject-reorder