KQL Search

Query Details

HomeAI ToolsDevice Query

Device Accountswith Most Local Admin

Query

//Find which of your accounts have logged onto the most devices with local admin credentials. These accounts are potential targets for lateral movement and privilege escalation

//Data connector required for this query - M365 Defender - Device* tables

//Microsoft Sentinel query
DeviceLogonEvents
| where TimeGenerated > ago(30d)
| project DeviceName, ActionType, LogonType, AdditionalFields, InitiatingProcessCommandLine, AccountName, IsLocalAdmin
| where ActionType == "LogonSuccess"
| where LogonType == "Interactive"
| where AdditionalFields.IsLocalLogon == true
| where InitiatingProcessCommandLine == "lsass.exe"
| summarize
    ['Local Admin Count']=dcountif(DeviceName,IsLocalAdmin == "true"),
    ['Local Admins']=make_set_if(DeviceName, IsLocalAdmin == "true")
    by AccountName
| sort by ['Local Admin Count'] desc  

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

DeviceLogonEvents
| where Timestamp > ago(30d)
| project DeviceName, ActionType, LogonType, AdditionalFields, InitiatingProcessCommandLine, AccountName, IsLocalAdmin
| where ActionType == "LogonSuccess"
| where LogonType == "Interactive"
| where IsLocalAdmin == true
| where InitiatingProcessCommandLine == "lsass.exe"
| summarize
    ['Local Admin Count']=dcountif(DeviceName,IsLocalAdmin == "true"),
    ['Local Admins']=make_set_if(DeviceName, IsLocalAdmin == "true")
    by AccountName
| sort by ['Local Admin Count'] desc

Explanation

This query is used to find accounts that have logged onto the most devices with local admin credentials. These accounts are potential targets for lateral movement and privilege escalation. The query looks at logon events from the past 30 days and filters for successful interactive logons with local admin credentials. It then summarizes the results by account name, counting the number of devices each account has logged onto as a local admin and creating a set of the device names. The results are sorted in descending order by the number of local admin logons.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceLogonEvents

Keywords

Devices,Intune,User

Operators

| where| project| summarize| sort by| ago| dcountif| make_set_if

Actions