List all net(1).exe activities on a host
MDE Net Activities
Query
let CompromisedDevice = "azurewin2022";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
//| where DeviceName == CompromisedDevice
| where TimeGenerated > ago(SearchWindow)
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
ProcessCommandLine has "group", "GROUP",
ProcessCommandLine has "user", "USER",
ProcessCommandLine has "localgroup", "LOCALGROUP",
"Other")
| where NetActionType != "Other"
| project-reorder TimeGenerated, ProcessCommandLine
| sort by TimeGeneratedAbout this query
List all net(1).exe activities on a host
Defender XDR
let CompromisedDevice = "azurewin2022";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
//| where DeviceName == CompromisedDevice
| where Timestamp > ago(SearchWindow)
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
ProcessCommandLine has "group", "GROUP",
ProcessCommandLine has "user", "USER",
ProcessCommandLine has "localgroup", "LOCALGROUP",
"Other")
| where NetActionType != "Other"
| project-reorder Timestamp, ProcessCommandLine
| sort by Timestamp
Sentinel
Explanation
This query is designed to identify and list specific activities related to the execution of "net.exe" or "net1.exe" on a particular host, named "azurewin2022", within a specified time window of 48 hours. The query is written for two different platforms, Defender XDR and Sentinel, but performs the same function on both.
Here's a simple breakdown of what the query does:
-
Define Variables:
CompromisedDeviceis set to "azurewin2022", which is the name of the host being monitored.SearchWindowis set to 48 hours, meaning the query will look for events that occurred in the last 48 hours.
-
Filter Events:
- The query looks at
DeviceProcessEvents, which contains records of processes that have run on the device. - It filters these events to only include those where the process name is either "net.exe" or "net1.exe".
- It also ensures that the events occurred within the last 48 hours.
- The query looks at
-
Classify Actions:
- The query examines the command line arguments used with "net.exe" or "net1.exe" to classify the type of action performed. It checks for specific keywords:
- "accounts" is classified as "ACCOUNTS"
- "group" is classified as "GROUP"
- "user" is classified as "USER"
- "localgroup" is classified as "LOCALGROUP"
- Any command line that does not match these keywords is labeled as "Other", but these are filtered out in the next step.
- The query examines the command line arguments used with "net.exe" or "net1.exe" to classify the type of action performed. It checks for specific keywords:
-
Filter and Sort:
- The query excludes any actions classified as "Other", focusing only on the specified action types.
- It rearranges the columns to show the timestamp and command line first.
- Finally, it sorts the results by the timestamp to present the activities in chronological order.
In summary, this query helps identify and categorize specific network-related actions performed by "net.exe" or "net1.exe" on a specified host within a recent timeframe, aiding in security monitoring and analysis.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsFileNameCommandLineTimestampTimeGenerated
Operators
letincasehasagoextendproject-reordersort bywhere