Query Details

Net(1).exe Query Statistics

Net Query Statistics

Query

let StartTime = 30d;
DeviceProcessEvents
| where Timestamp > startofday(ago(StartTime))
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
    ProcessCommandLine has "group", "GROUP",
    ProcessCommandLine has "user", "USER",
    ProcessCommandLine has "localgroup", "LOCALGROUP",
    "Other")
| where NetActionType != "Other"
| where isnotempty(AccountUpn)
| extend ExtractedParameters = split(ProcessCommandLine, " ")
| mv-apply QueriedEntity = ExtractedParameters on (
    where not(QueriedEntity has_any ("net", "net1", "user", "group", @"/do", @"/domain", @"/dom"))
    | project QueriedEntity
)
| where isnotempty(QueriedEntity)
| extend QueriedEntity = tolower(QueriedEntity)
| summarize arg_max(Timestamp, *) by ReportId
| summarize TotalQueries = count() by QueriedEntity, NetActionType
| sort by TotalQueries

About this query

Explanation

This query is designed to analyze and summarize the usage of the net.exe and net1.exe commands on devices over a specified period, which is set to the last 30 days by default. It focuses on identifying and counting the types of network-related actions performed, specifically those related to user and group management.

Here's a simple breakdown of what the query does:

  1. Time Frame: It looks at events from the last 30 days.

  2. Targeted Commands: It filters for processes where the command executed is either net.exe or net1.exe.

  3. Action Type Identification: It categorizes the command actions into four types based on the command line arguments:

    • ACCOUNTS
    • GROUP
    • USER
    • LOCALGROUP
  4. Filtering: It excludes any actions that don't fall into the above categories and ensures that the user account information (AccountUpn) is present.

  5. Parameter Extraction: It extracts and processes the parameters used in these commands to identify the specific entities (like user or group names) being queried.

  6. Entity Normalization: It converts the queried entities to lowercase for consistency.

  7. Data Summarization: It summarizes the data to count how many times each entity was queried for each action type.

  8. Sorting: Finally, it sorts the results by the total number of queries for each entity and action type.

This query helps in identifying frequently queried users or groups, which could indicate regular administrative activities or potential security concerns if unusual patterns are detected.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

DevicesUserGroupsAccountsLocalgroupProcessCommandlineParametersQueries

Operators

let|whereinextendcasehas!=isnotemptysplitmv-applyonhas_anyprojecttolowersummarizearg_maxbycountsort

Actions

GitHub