Approved

Threat Hunting - Account Discovery

Here is a simple query that can be used to look for any executions of the net.exe command. These are often used by threat actors and malware alike to discover the username and group memberships of local as well as domain accounts.

-- Account Discovery: Local Accounts
-- T1087:001 and T1087:002 Looking for net commands exploring local and domain account listings
-- VARIABLE:   $$Begin Search on date$$                  DATE
-- VARIABLE:   $$End Search on date$$                    DATE


SELECT DISTINCT
   CAST( replace(datetime(spj.time,'unixepoch'),' ','T') AS TEXT)Date_Time, -- add the T to help excel understand this is a date and time   *
   CAST( replace(datetime(spj.processStartTime,'unixepoch'), ' ', 'T') AS TEXT)Process_Start_Time,
   PID,
   sophosPID,
   CAST( replace(datetime(spj.parentProcessStartTime,'unixepoch'), ' ', 'T') AS TEXT)Parent_Process_Start_Time,
   parentPID,
   parentSophosPID,
   CAST( users.username AS TEXT) User_Name,
   sessionId,
   pathname,
   processName,
   cmdLine,
   sha256
FROM sophos_process_journal spj
   LEFT JOIN users ON uuid LIKE sid
WHERE spj.time > $$Begin Search on date$$ AND spj.time < $$End Search on date$$
AND
   spj.processName LIKE 'net%'
AND
   (spj.cmdLine LIKE '%localgroup%' OR spj.cmdLine LIKE '%user%' OR spj.cmdLine LIKE '%group%' OR spj.cmdLine)