The hypothesis is that adversaries are searching for highly-privileged accounts to gain elevated access and potentially deploy ransomware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage reconnaissance efforts before a full-scale attack occurs.
KQL Query
DeviceProcessEvents
| where FileName == "net.exe"
// Create a set for the command lines
| summarize makeset(ProcessCommandLine) by InitiatingProcessFileName, AccountName, DeviceId, bin(Timestamp, 5m)
// Other process launches by Net in that same timeframe
| where (set_ProcessCommandLine has "admin"
and set_ProcessCommandLine has_any("domain", "enterprise", "backup operators"))
and set_ProcessCommandLine has "group" and set_ProcessCommandLine contains "/do"
id: d3123681-8eed-4a6d-b0c0-05d0075e3e69
name: Discovery for highly-privileged accounts
description: |
Use this query to locate commands related to discovering highly privileged users in an environment, sometimes a precursor to ransomware
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Discovery
- Ransomware
query: |
DeviceProcessEvents
| where FileName == "net.exe"
// Create a set for the command lines
| summarize makeset(ProcessCommandLine) by InitiatingProcessFileName, AccountName, DeviceId, bin(Timestamp, 5m)
// Other process launches by Net in that same timeframe
| where (set_ProcessCommandLine has "admin"
and set_ProcessCommandLine has_any("domain", "enterprise", "backup operators"))
and set_ProcessCommandLine has "group" and set_ProcessCommandLine contains "/do"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for User Account Maintenance
Description: A legitimate scheduled job runs daily to clean up old user accounts or update permissions, which may include querying user attributes.
Filter/Exclusion: Exclude commands related to scheduled jobs with known maintenance tasks (e.g., schtasks.exe, at.exe, or job names containing “user cleanup” or “account maintenance”).
Scenario: Active Directory Replication or Sync Task
Description: An AD replication or synchronization task between domain controllers may involve querying user attributes, including privileged accounts.
Filter/Exclusion: Exclude commands executed by domain controllers or related to replication (e.g., repadmin.exe, ntdsutil, or tasks with “replication” in the command line).
Scenario: Privileged User Audit or Compliance Check
Description: A security team member is performing an audit or compliance check on privileged users, which may involve querying user details.
Filter/Exclusion: Exclude commands executed by known security tools (e.g., PowerShell with Get-ADUser, Auditpol, or Audittrail) or by users with a specific role like “Security Admin”.
Scenario: System Backup or Inventory Scan
Description: A system backup tool or inventory scan may query user information as part of its data collection process.
Filter/Exclusion: Exclude commands related to backup tools (e.g., Veeam, CommCell, or wbadmin) or inventory tools (e.g., SCOM, Microsoft Intune).
Scenario: User Migration or Role Change Process
Description: A user migration or role change process may involve querying and updating user attributes, including privileged accounts.
Filter/Exclusion: Exclude commands associated with user migration tools (e.g., Microsoft 365 Migration, `