From ead061213e557c745b41c47b71a2e70d3622f28e Mon Sep 17 00:00:00 2001 From: rosenmoore Date: Thu, 16 Apr 2020 14:54:16 +0300 Subject: [PATCH] improve detection of use of net CLI process command line might not have /domain or /do at the end --- .../Enumeration of users & groups for lateral movement.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Discovery/Enumeration of users & groups for lateral movement.txt b/Discovery/Enumeration of users & groups for lateral movement.txt index 74882eef..702bde77 100644 --- a/Discovery/Enumeration of users & groups for lateral movement.txt +++ b/Discovery/Enumeration of users & groups for lateral movement.txt @@ -2,7 +2,7 @@ DeviceProcessEvents | where Timestamp > ago(14d) | where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\' and ProcessCommandLine !contains '/add' -| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine endswith ' /do' or ProcessCommandLine endswith ' /domain') +| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine contains ' /do' or ProcessCommandLine contains ' /domain') | extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine) | filter Target != '' | project AccountName, Target, ProcessCommandLine, DeviceName, Timestamp -| sort by AccountName, Target \ No newline at end of file +| sort by AccountName, Target