KQL Search

Query Details

HomeAI ToolsDevice Query

Device User Addedas Local Admin

Query

//Detect when an admin adds another user to the local administrators group on a device and optionally query IdentityInfo to return the UPN of the user added

//Data connector required for this query - M365 Defender - Device* tables
//Data connector required for this query - Microsoft Sentinel UEBA

DeviceEvents
| where TimeGenerated > ago(7d)
| where ActionType == "UserAccountAddedToLocalGroup"
| where AdditionalFields.GroupName == "Administrators"
// Exclude processes initiated by system as this detection is for end users adding groups
| where InitiatingProcessAccountSid != "S-1-5-18"
| project
    TimeGenerated,
    DeviceName,
    AccountSid,
    Actor=InitiatingProcessAccountName
//Join query to IdentityInfo table to match the AccountSid
//if you do not use the IdentityInfo table remove everything below this line
| join kind=inner (
    IdentityInfo
    | where TimeGenerated > ago (21d)
    | summarize arg_max (TimeGenerated, *) by AccountUPN)
    on $left.AccountSid == $right.AccountSID
| project
    TimeGenerated,
    DeviceName,
    ['User Added']=AccountUPN,
    ['User Added Sid']=AccountSID,
    Actor


//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == "UserAccountAddedToLocalGroup"
| where AdditionalFields contains "Administrator"
| where InitiatingProcessAccountSid != "S-1-5-18"
| project DeviceName, Actor=InitiatingProcessAccountName, AccountSid
| join kind=inner (
IdentityInfo
)
on $left.AccountSid==$right.OnPremSid
| project DeviceName, Actor, AccountSid, UserAdded=AccountUpn

Explanation

This query detects when an admin adds another user to the local administrators group on a device. It also has an optional query to return the UPN (User Principal Name) of the user added. It uses the DeviceEvents table from M365 Defender and Microsoft Sentinel UEBA as data connectors. The query filters for events where the ActionType is "UserAccountAddedToLocalGroup" and the GroupName is "Administrators". It excludes events initiated by the system. The query then joins the DeviceEvents table with the IdentityInfo table to match the AccountSid and retrieve the AccountUPN. The final result includes the TimeGenerated, DeviceName, User Added (UPN), User Added Sid (AccountSID), and the Actor (InitiatingProcessAccountName).

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceEventsIdentityInfo

Keywords

DeviceEvents,TimeGenerated,ActionType,AdditionalFields,GroupName,InitiatingProcessAccountSid,DeviceName,AccountSid,Actor,IdentityInfo,AccountUPN,AccountSID,Timestamp,InitiatingProcessAccountName,UserAdded

Operators

whereTimeGeneratedagoActionTypeAdditionalFieldsGroupNameInitiatingProcessAccountSidprojectDeviceNameAccountSidActorjoinkindIdentityInfoAccountUPNAccountSIDTimestampcontainsOnPremSidUserAdded

Actions