Merge pull request #113 from rosenmoore/master

improve detection of use of net.exe on CLI
microsoft · Apr 22, 2020 · b31f46c · b31f46c
2 parents 8169752 + ead0612
commit b31f46c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/Discovery/Enumeration of users & groups for lateral movement.txt b/Discovery/Enumeration of users & groups for lateral movement.txt
@@ -2,7 +2,7 @@
 DeviceProcessEvents 
 | where Timestamp > ago(14d) 
 | where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\'  and ProcessCommandLine !contains '/add' 
-| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine endswith ' /do' or ProcessCommandLine endswith ' /domain') 
+| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine contains ' /do' or ProcessCommandLine contains ' /domain') 
 | extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine) | filter Target  != '' 
 | project AccountName, Target, ProcessCommandLine, DeviceName, Timestamp  
-| sort by AccountName, Target
+| sort by AccountName, Target