KQL Search

Query Details

HomeAI ToolsDevice Query

Local Administrator Account Added By Scheduled Task

Query

# *Local Administrator Account added by Scheduled Task*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1053.005 | Scheduled Tasks | https://attack.mitre.org/techniques/T1053/005/ |
| T1136.001 | Local Account | https://attack.mitre.org/techniques/T1136/001/ |

#### Description
Inspiration: Inspired by Paula Januszkiewicz’s session at Swiss Microsoft Security Summit 2026

Description: This rule monitors for the unauthorized addition of local administrators through scheduled tasks. It detects the use of net.exe, net1.exe, and PowerShell when triggered by svchost.exe or taskeng.exe. By specifically filtering for group manipulation commands (e.g., "Add-LocalGroupMember" or "/add"), it identifies potential privilege escalation or persistence techniques where attackers attempt to gain permanent administrative access.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- Swiss Microsoft Security Day 2026 - Session by Paula Januszkiewicz
## Sentinel

```KQL
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("taskeng.exe", "svchost.exe") 
     and FileName in~ ("net.exe", "net1.exe", "powershell.exe", "pwsh.exe", "cmd.exe")
| where ProcessCommandLine has_any ("Administratoren", "Administrators", "LocalGroup", "Add-LocalGroupMember")
| where ProcessCommandLine has_any ("add", "-Member", "/add")
| sort by Timestamp desc
```

Explanation

This query is designed to detect suspicious activities related to the unauthorized addition of local administrator accounts on a system. It specifically looks for instances where certain processes, like taskeng.exe or svchost.exe, initiate commands using tools such as net.exe, net1.exe, powershell.exe, pwsh.exe, or cmd.exe. These commands are checked for specific keywords that indicate group manipulation, such as adding a user to the "Administrators" group or using commands like "Add-LocalGroupMember" or "/add". The query sorts the results by the most recent events, helping to identify potential security threats where attackers might be trying to gain or maintain administrative access through scheduled tasks.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: March 23, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsAdministratorsLocalGroupMemberTimestamp

Operators

DeviceProcessEventswherein~andhas_anysort bydesc

Actions