Query Details
Endpoint Net Exe Listing Reconnaissance
Query
name : Net.exe activity list
description :
- This query shows all distinct activities generated by "net.exe" for each device.
table :
- DeviceProcessEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide
query : |
//List all distinct command lines from Net.exe
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName == "net.exe"
| summarize CmdList = make_set(ProcessCommandLine) by DeviceId, DeviceName
| extend Case = array_length(CmdList)
| project DeviceId, DeviceName, Case, CmdList
| order by Case desc
Explanation
This query retrieves a list of distinct activities generated by the "net.exe" command for each device. It filters the data from the DeviceProcessEvents table, selecting only events that occurred within the last 30 days and have "net.exe" as the file name. It then summarizes the command lines used by "net.exe" for each device, calculates the number of distinct command lines (referred to as "Case"), and presents the DeviceId, DeviceName, Case, and CmdList (list of command lines) in descending order based on the Case value.
Details
Kijo Girardi
Released: April 6, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,Timestamp,FileName,ProcessCommandLine,DeviceId,DeviceName,Case,CmdList
Operators
toscalar()arg_max()count()mv-expandwheresummarizemake_setextendarray_lengthprojectorder by