KQL Search

Query Details

HomeAI ToolsDevice Query

Net Query Statistics

Query

# Net(1).exe Query Statistics

## Query Information

#### Description
This query can be used to list the statistics of the entities that have been queried in the last x days. The x is determined by the *StartTime* parameter. Only the (local)group and user query types are included in this query. This query can be used to list the user/groups that are often queried or to list rare discovery activities.

#### References
- https://learn.microsoft.com/en-us/windows/win32/winsock/net-exe-2
- https://www.trendmicro.com/en_us/research/19/f/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns.html
- https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques

## Defender For Endpoint
```KQL
let StartTime = 30d;
DeviceProcessEvents
| where Timestamp > startofday(ago(StartTime))
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
    ProcessCommandLine has "group", "GROUP",
    ProcessCommandLine has "user", "USER",
    ProcessCommandLine has "localgroup", "LOCALGROUP",
    "Other")
| where NetActionType != "Other"
| where isnotempty(AccountUpn)
| extend ExtractedParameters = split(ProcessCommandLine, " ")
| mv-apply QueriedEntity = ExtractedParameters on (
    where not(QueriedEntity has_any ("net", "net1", "user", "group", @"/do", @"/domain", @"/dom"))
    | project QueriedEntity
)
| where isnotempty(QueriedEntity)
| extend QueriedEntity = tolower(QueriedEntity)
| summarize arg_max(Timestamp, *) by ReportId
| summarize TotalQueries = count() by QueriedEntity, NetActionType
| sort by TotalQueries
```
## Sentinel
```KQL
let StartTime = 30d;
DeviceProcessEvents
| where TimeGenerated > startofday(ago(StartTime))
| where FileName in ("net.exe", "net1.exe")
| extend NetActionType = case(ProcessCommandLine has "accounts", "ACCOUNTS",
    ProcessCommandLine has "group", "GROUP",
    ProcessCommandLine has "user", "USER",
    ProcessCommandLine has "localgroup", "LOCALGROUP",
    "Other")
| where NetActionType != "Other"
| where isnotempty(AccountUpn)
| extend ExtractedParameters = split(ProcessCommandLine, " ")
| mv-apply QueriedEntity = ExtractedParameters on (
    where not(QueriedEntity has_any ("net", "net1", "user", "group", @"/do", @"/domain", @"/dom"))
    | project QueriedEntity
)
| where isnotempty(QueriedEntity)
| extend QueriedEntity = tolower(QueriedEntity)
| summarize arg_max(TimeGenerated, *) by ReportId
| summarize TotalQueries = count() by QueriedEntity, NetActionType
| sort by TotalQueries
```

Explanation

The query is used to list the statistics of entities that have been queried in the last x days, where x is determined by the StartTime parameter. It focuses on the (local)group and user query types. The purpose of the query is to identify frequently queried user/groups or rare discovery activities. It filters process events related to net.exe and net1.exe, extracts the queried entity from the process command line, and categorizes the query type. It then filters out irrelevant queries and summarizes the total number of queries for each queried entity and query type. The results are sorted by the total number of queries.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 12, 2023

Tables

DeviceProcessEvents

Keywords

Devices,Intune,User

Operators

whereextendcaseisnotemptysplitmv-applywhereisnotemptyextendtolowersummarizearg_maxbyReportIdsummarizecountsort

Actions