KQL Search

Query Details

HomeAI ToolsDevice Query

Default Local Admin Logon Detection

Query

//This query identifies logon events for the default local administrator
//Excludes domain admin accounts using SID filtering
//Defender XDR
let DefauldDomainAdministrators = dynamic([
    "S-1-5-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-500", //Default Domain Administrator SID Domain X
    "S-1-5-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-500" // Default Domain Administrator SID Domain Y
    ]);
DeviceLogonEvents
| where AccountSid startswith "S-1-5-" and AccountSid endswith "-500"
| where IsLocalAdmin == true
| join kind = inner (
    DeviceInfo
    | summarize arg_max(Timestamp, *) by DeviceId
    )
    on $left.DeviceId == $right.DeviceId
| where AccountSid !in~(DefauldDomainAdministrators) //Comment this line if you also want to see default domain administrator logins
| summarize count()
    by
    DeviceName,
    LogonType,
    AccountDomain,
    AccountName, 
    OSPlatform, 
    MachineGroup

Explanation

This query is designed to identify logon events specifically for the default local administrator accounts on devices, while excluding logons by domain administrator accounts using Security Identifier (SID) filtering. Here's a breakdown of what the query does:

  1. Define Default Domain Administrators: It starts by defining a list of SIDs that represent default domain administrator accounts for two domains (Domain X and Domain Y).

  2. Filter Logon Events: It searches through DeviceLogonEvents to find logon events where the AccountSid starts with "S-1-5-" and ends with "-500", which is the pattern for local administrator accounts.

  3. Check for Local Admin: It further filters these events to include only those where the account is a local administrator (IsLocalAdmin == true).

  4. Join with Device Info: The query joins the filtered logon events with the latest device information from DeviceInfo based on DeviceId.

  5. Exclude Domain Admins: It excludes logon events for accounts that match the SIDs of the default domain administrators defined earlier. (This line can be commented out if you want to include these logons as well.)

  6. Summarize Results: Finally, it summarizes the count of these logon events, grouping them by several attributes: DeviceName, LogonType, AccountDomain, AccountName, OSPlatform, and MachineGroup.

In simple terms, this query helps you track logon activities of local administrator accounts on devices, while filtering out those associated with domain administrator accounts, and provides a summary based on various device and account attributes.

Details

Loris Ambrozzo profile picture

Loris Ambrozzo

Released: November 10, 2024

Tables

DeviceLogonEventsDeviceInfo

Keywords

DeviceLogonEventsDeviceInfoDeviceNameLogonTypeAccountDomainAccountNameOSPlatformMachineGroup

Operators

letdynamicstartswithendswith==!=!in~truejoinkindinnersummarizearg_maxbycount()

Actions