A simple query to look for executions of net.exe that make use of the account switch. These are sometimes used by adversaries to discover the local and domain password policies that are in enforced.
-- Account Discovery: Password Policies
-- T1201 looking for - net accounts - net accounts /domain
-- VARIABLE: $$Begin Search on date$$ DATE
-- VARIABLE: $$End Search on date$$ DATE
SELECT DISTINCT
CAST( replace(datetime(spj.time,'unixepoch'),' ','T') AS TEXT)Date_Time, -- add the T to help excel understand this is a date and time *
CAST( replace(datetime(spj.processStartTime,'unixepoch'), ' ', 'T') AS TEXT)Process_Start_Time,
PID,
sophosPID,
CAST( replace(datetime(spj.parentProcessStartTime,'unixepoch'), ' ', 'T') AS TEXT)Parent_Process_Start_Time,
parentPID,
parentSophosPID,
CAST( users.username AS TEXT) User_Name,
sessionId,
pathname,
processName,
cmdLine,
sha256
FROM sophos_process_journal spj
LEFT JOIN users ON uuid LIKE sid
WHERE spj.time > $$Begin Search on date$$ AND spj.time < $$End Search on date$$
AND
spj.processName LIKE 'net%'
AND
(spj.cmdLine LIKE '%accounts%')
