Net(1).exe Query Statistics
Net Query Statistics
Query
let StartTime = 30d;
DeviceProcessEvents
| where Timestamp > startofday(ago(StartTime))
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
ProcessCommandLine has "group", "GROUP",
ProcessCommandLine has "user", "USER",
ProcessCommandLine has "localgroup", "LOCALGROUP",
"Other")
| where NetActionType != "Other"
| where isnotempty(AccountUpn)
| extend ExtractedParameters = split(ProcessCommandLine, " ")
| mv-apply QueriedEntity = ExtractedParameters on (
where not(QueriedEntity has_any ("net", "net1", "user", "group", @"/do", @"/domain", @"/dom"))
| project QueriedEntity
)
| where isnotempty(QueriedEntity)
| extend QueriedEntity = tolower(QueriedEntity)
| summarize arg_max(Timestamp, *) by ReportId
| summarize TotalQueries = count() by QueriedEntity, NetActionType
| sort by TotalQueriesAbout this query
Explanation
This query is designed to analyze and summarize the usage of the net.exe and net1.exe commands on devices over a specified period, which is set to the last 30 days by default. It focuses on identifying and counting the types of network-related actions performed, specifically those related to user and group management.
Here's a simple breakdown of what the query does:
-
Time Frame: It looks at events from the last 30 days.
-
Targeted Commands: It filters for processes where the command executed is either
net.exeornet1.exe. -
Action Type Identification: It categorizes the command actions into four types based on the command line arguments:
ACCOUNTSGROUPUSERLOCALGROUP
-
Filtering: It excludes any actions that don't fall into the above categories and ensures that the user account information (
AccountUpn) is present. -
Parameter Extraction: It extracts and processes the parameters used in these commands to identify the specific entities (like user or group names) being queried.
-
Entity Normalization: It converts the queried entities to lowercase for consistency.
-
Data Summarization: It summarizes the data to count how many times each entity was queried for each action type.
-
Sorting: Finally, it sorts the results by the total number of queries for each entity and action type.
This query helps in identifying frequently queried users or groups, which could indicate regular administrative activities or potential security concerns if unusual patterns are detected.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators