Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where InitiatingProcessFileName =~ "cmd.exe" | where FileName =~ "netstat.exe" | project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName

DeviceProcessEvents | where ActionType == 'ProcessCreated' | where FileName endswith '.exe' and tolower(FileName) contains 'netstat' // Filter for 'netstat' utility | extend CommandLine = tolower(InitiatingProcessCommandLine) | where CommandLine contains 'netstat' // Filter for the specific netstat command

DeviceProcessEvents | where InitiatingProcessFileName == 'cmd.exe' and ProcessCommandLine has 'netstat' | project DeviceId, DeviceName, AccountName, ProcessCommandLine, TimeGenerated | distinct DeviceId, DeviceName, AccountName, ProcessCommandLine, TimeGenerated

DeviceProcessEvents | where FileName =~ "netstat.exe" or FileName =~ "netstat" | extend Parent = InitiatingProcessFileName | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, Parent, InitiatingProcessCommandLine | order by TimeGenerated desc

let CmdStart = DeviceProcessEvents | where FileName =~ "cmd.exe" | summarize arg_min(Timestamp, *) by InitiatingProcessAccountSid, DeviceName, FileName; let BuiltinTools = dynamic([ "netstat.exe", "net.exe", "tasklist.exe" ]); let OriginalTool = DeviceProcessEvents | join kind=inner ( CmdStart ) on $left.DeviceName == $right.DeviceName, $left.InitiatingProcessAccountSid == $right.InitiatingProcessAccountSid | where FileName in (BuiltinTools) | summarize arg_min(Timestamp, *) by DeviceName, InitiatingProcessAccountSid, FileName; OriginalTool | extend ToConsole = iif(isnotempty(ProcessVersionInfoFileDescription), 1, 0) | extend Filename = iif(ToConsole == 1, "N/A", tostring(split(ProcessCommandLine, ">", 1)[1])) | project-reorder DeviceName, InitiatingProcessAccountSid, FileName, ToConsole, Filename | sort by DeviceName desc, InitiatingProcessAccountSid // The query outputs details about the tool found in the cmd.exe process tree, whether output went to the console or file, and the associated machine/user details.

DeviceProcessEvents | where (FileName endswith 'cmd.exe' or InitiatingProcessFileName endswith 'cmd.exe') | extend ProcessCmdLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | where ProcessCmdLine contains 'netstat' or ProcessCmdLine contains '/netstat' | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCmdLine, InitiatingProcessId | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where InitiatingProcessCommandLine has_any ("netstat", "nbtstat") | extend ToolName = iff(InitiatingProcessCommandLine has "netstat", "netstat", iff(InitiatingProcessCommandLine has "nbtstat", "nbtstat", "")) | project TimeGenerated, InitiatingProcessAccountName, InitiatingProcessCommandLine, ToolName

DeviceProcessEvents | where ActionType == "ProcessCreated" // Focus on tools that enumerate current connections | where tolower(FileName) in ("netstat.exe","powershell.exe","netsh.exe") or ProcessCommandLine has_any ("netstat","Get-NetTCPConnection","Get-NetUDPEndpoint","show tcpconnections","show tcp") // Keep only executions that actually map to connection enumeration | where ( tolower(FileName) == "netstat.exe" ) or ( tolower(FileName) == "powershell.exe" and ProcessCommandLine has_any ("Get-NetTCPConnection","Get-NetUDPEndpoint") ) or ( tolower(FileName) == "netsh.exe" and ProcessCommandLine has_any ("show tcpconnections","show conn","show connections","show tcp") ) // Ensure it was launched from Windows Command Prompt (cmd) context | where tolower(InitiatingProcessFileName) in ("cmd.exe","conhost.exe") or tolower(InitiatingProcessParentFileName) == "cmd.exe" or InitiatingProcessCommandLine has @"\cmd.exe" // Identify the exact tool | extend ExactTool = case( tolower(FileName) == "netstat.exe", "netstat.exe", tolower(FileName) == "powershell.exe" and ProcessCommandLine has "Get-NetTCPConnection", "PowerShell:Get-NetTCPConnection", tolower(FileName) == "powershell.exe" and ProcessCommandLine has "Get-NetUDPEndpoint", "PowerShell:Get-NetUDPEndpoint", tolower(FileName) == "netsh.exe", "netsh.exe", "Unknown") | project TimeGenerated, DeviceName, AccountDomain, AccountName, ExactTool, FileName, ProcessCommandLine, ParentProcess=InitiatingProcessFileName, ParentCommandLine=InitiatingProcessCommandLine, PID=ProcessId, ParentPID=InitiatingProcessId, ReportId | order by TimeGenerated desc

let network_tools = dynamic(["netstat","get-nettcpconnection","get-netudpendpoint","ipconfig","arp","route","nbtstat","ss"]); // Process creation observations let DPE = DeviceProcessEvents | where (tolower(InitiatingProcessFileName) has "cmd.exe" or tolower(InitiatingProcessFileName) has "powershell.exe" or tolower(InitiatingProcessFileName) has "pwsh.exe") | where (tolower(FileName) has_any (network_tools) or tolower(ProcessCommandLine) has_any (network_tools)) | extend Source = "DeviceProcessEvents", ObservedTime = TimeGenerated, ToolFileName = FileName, ToolCommandLine = ProcessCommandLine, ParentFileName = InitiatingProcessFileName, ParentCommandLine = InitiatingProcessCommandLine, ToolPID = ProcessId, Account = AccountName; // Generic device events that may include command lines let DE = DeviceEvents | where (tolower(InitiatingProcessFileName) has "cmd.exe" or tolower(InitiatingProcessFileName) has "powershell.exe" or tolower(InitiatingProcessFileName) has "pwsh.exe") | where isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) has_any (network_tools) | extend Source = "DeviceEvents", ObservedTime = TimeGenerated, ToolFileName = FileName, ToolCommandLine = ProcessCommandLine, ParentFileName = InitiatingProcessFileName, ParentCommandLine = InitiatingProcessCommandLine, ToolPID = coalesce(ProcessId, InitiatingProcessId), Account = AccountName; union DPE, DE | extend DetectedTool = case( tolower(ToolFileName) has "netstat" or tolower(ToolCommandLine) has "netstat", "netstat", tolower(ToolFileName) has "ipconfig" or tolower(ToolCommandLine) has "ipconfig", "ipconfig", tolower(ToolCommandLine) has "get-nettcpconnection" or tolower(ToolCommandLine) has "get-netudpendpoint", "Get-NetTCPConnection/UDPEndpoint", tolower(ToolCommandLine) has "arp", "arp", tolower(ToolCommandLine) has "route", "route", tolower(ToolCommandLine) has "nbtstat", "nbtstat", tolower(ToolCommandLine) has "ss", "ss", "other" ) | summarize Count = count(), FirstSeen = min(ObservedTime), LastSeen = max(ObservedTime) by DeviceName, Account, ParentFileName, ParentCommandLine, ToolFileName, ToolPID, DetectedTool, Source | project DeviceName, Account, InitiatingProcess = ParentFileName, InitiatingCommandLine = ParentCommandLine, ToolFileName, DetectedTool, ToolPID, Source, FirstSeen, LastSeen, Count | order by LastSeen desc

DeviceProcessEvents | where InitiatingProcessFileName contains_cs "cmd.exe" | where (FileName contains_cs "netstat" or ProcessCommandLine contains_cs "netstat" or InitiatingProcessCommandLine contains_cs "netstat") | extend Tool = FileName | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, Tool | distinct TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, Tool

DeviceProcessEvents | where InitiatingProcessFileName =~ 'cmd.exe' | where FileName in~ ('netstat.exe', 'ipconfig.exe', 'arp.exe') | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessAccountName | order by Timestamp desc

DeviceProcessEvents | where ProcessCommandLine contains 'netstat' | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc | limit 10

DeviceProcessEvents | where ActionType == "ProcessCreated" | where InitiatingProcessFileName =~ "cmd.exe" | where FileName =~ "netstat.exe" | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine

DeviceProcessEvents | where ActionType == "ProcessCreated" | where InitiatingProcessFileName =~ "cmd.exe" | where FileName =~ "netstat.exe" | project TimeGenerated, DeviceName, FolderPath, InitiatingProcessAccountDomain, InitiatingProcessAccountName, FileName, ProcessCommandLine | order by TimeGenerated desc

// "Who ran netstat to list current network connections?" DeviceProcessEvents | where ActionType == "ProcessCreated" // --- Identify the utility ---------------------------------------------------- | where FileName =~ "netstat.exe" or ProcessCommandLine has "netstat" // --- (Optional) keep only typical listing switches -------------------------- | where ProcessCommandLine has_any (" -a", " -an", " -ano", " -b", " -n", " -o") // --- Basic enrichment -------------------------------------------------------- | extend ParentProcess = tostring(InitiatingProcessFileName), ParentCmdLine = tostring(InitiatingProcessCommandLine), User = strcat(AccountDomain, "\\", AccountName) // --- Output ----------------------------------------------------------------- | project TimeGenerated, DeviceName, User, FileName, ProcessCommandLine, ParentProcess, ParentCmdLine, SHA256, InitiatingProcessSHA256, IsProcessElevated = iff(ProcessTokenElevation == "Elevated", true, false) | order by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessFileName =~ "cmd.exe" and ProcessCommandLine has "netstat" | extend ToolExecuted = tostring(split(ProcessCommandLine, ' ')[0]) | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, ToolExecuted | order by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessFileName =~ "cmd.exe" and FileName =~ "netstat.exe" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, ProcessCreationTime

DeviceProcessEvents | where tolower(InitiatingProcessFileName) == "cmd.exe" | where tolower(FileName) == "netstat.exe" or ProcessCommandLine has_any ("netstat", "Get-NetTCPConnection") | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ChildProcessFileName = FileName, ChildProcessCommandLine = ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessFileName == "cmd.exe" // Filter to child processes of cmd.exe that enumerate network connections | where ProcessCommandLine contains "netstat" // Select relevant details to identify the tool and context | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine