Here is a simple query that can be used to look for any executions of the net.exe command. These are often used by threat actors and malware alike to discover the username and group memberships of local as well as domain accounts.
-- Account Discovery: Local Accounts-- T1087:001 and T1087:002 Looking for net commands exploring local and domain account listings-- VARIABLE: $$Begin Search on date$$ DATE-- VARIABLE: $$End Search on date$$ DATESELECT DISTINCT CAST( replace(datetime(spj.time,'unixepoch'),' ','T') AS TEXT)Date_Time, -- add the T to help excel understand this is a date and time * CAST( replace(datetime(spj.processStartTime,'unixepoch'), ' ', 'T') AS TEXT)Process_Start_Time, PID, sophosPID, CAST( replace(datetime(spj.parentProcessStartTime,'unixepoch'), ' ', 'T') AS TEXT)Parent_Process_Start_Time, parentPID, parentSophosPID, CAST( users.username AS TEXT) User_Name, sessionId, pathname, processName, cmdLine, sha256FROM sophos_process_journal spj LEFT JOIN users ON uuid LIKE sidWHERE spj.time > $$Begin Search on date$$ AND spj.time < $$End Search on date$$AND spj.processName LIKE 'net%'AND (spj.cmdLine LIKE '%localgroup%' OR spj.cmdLine LIKE '%user%' OR spj.cmdLine LIKE '%group%' OR spj.cmdLine)