Query Details
MDE Net Activities
Query
# List all net(1).exe activities on a host
----
### Defender For Endpoint
```
let CompromisedDevice = "azurewin2022";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
//| where DeviceName == CompromisedDevice
| where Timestamp > ago(SearchWindow)
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
ProcessCommandLine has "group", "GROUP",
ProcessCommandLine has "user", "USER",
ProcessCommandLine has "localgroup", "LOCALGROUP",
"Other")
| where NetActionType != "Other"
| project-reorder Timestamp, ProcessCommandLine
| sort by Timestamp
```
### Sentinel
```
let CompromisedDevice = "azurewin2022";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
//| where DeviceName == CompromisedDevice
| where TimeGenerated > ago(SearchWindow)
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
ProcessCommandLine has "group", "GROUP",
ProcessCommandLine has "user", "USER",
ProcessCommandLine has "localgroup", "LOCALGROUP",
"Other")
| where NetActionType != "Other"
| project-reorder TimeGenerated, ProcessCommandLine
| sort by TimeGenerated
```
Explanation
The query lists all activities related to net(1).exe on a specific host within the last 48 hours. It categorizes the actions based on keywords in the process command line and sorts the results by timestamp.
Details
Bert-Jan Pals
Released: March 15, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,FileName,ProcessCommandLine,NetActionType,Timestamp,TimeGenerated,DeviceName,CompromisedDevice,SearchWindow,"net.exe","net1.exe","accounts","group","user","localgroup","Other"
Operators
| where| extend| case| project-reorder| sort by| has| in| ago| !=| ==| &&| ||