KQL Search

Query Details

HomeAI ToolsDevice Query

Device Detect Local Admins Who Havent Elevated

Query

// Searches for local admin log on events and then on process events that require full token elevation, query returns users who have logged on as an admin but not required admin access for 30 days

//Data connector required for this query - M365 Defender - Device* tables

// Exclude a list of known processes in your environment that require TokenElevationTypeFull such as conhost, DismHost
let process = dynamic(["conhost.exe", "DismHost.exe", "git.exe", "HPUpdate.exe"]);
let devices =
    DeviceInfo
    | where TimeGenerated > ago(30d)
    | where OSPlatform !contains "Server"
    | summarize arg_max(TimeGenerated, *) by DeviceName
    | project DeviceName
    | join kind=inner ( 
        DeviceLogonEvents
        | where TimeGenerated > ago (14d)
        | where LogonType == "Interactive"
// Exclude accounts such as service desk users who log on to complete admin work
        | where AccountName !contains "admin"
        | where IsLocalAdmin == true
        )
        on DeviceName
    | summarize arg_max (TimeGenerated, *) by DeviceName
    | project DeviceName, AccountName;
DeviceProcessEvents
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    FileName,
    InitiatingProcessFileName,
    InitiatingProcessTokenElevation
| where TimeGenerated > ago(30d)
| where InitiatingProcessTokenElevation == "TokenElevationTypeFull"
| where FileName !in (process)
| join kind=rightanti devices on DeviceName, AccountName

Explanation

This query searches for local admin log on events and process events that require full token elevation. It returns users who have logged on as an admin but have not required admin access for 30 days. The query excludes known processes in the environment that require full token elevation, such as conhost and DismHost. It uses the M365 Defender - Device* tables as the data connector. The query also excludes accounts like service desk users who log on to complete admin work. The final result includes the device name and account name of the users who meet the criteria.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceProcessEvents

Keywords

Devices,Intune,User

Operators

whereletdynamicDeviceInfoTimeGeneratedagoOSPlatformcontainssummarizearg_maxbyDeviceNameprojectjoininnerDeviceLogonEventsLogonTypeAccountNameIsLocalAdminDeviceProcessEventsFileNameInitiatingProcessFileNameInitiatingProcessTokenElevationinrightanti

Actions