Query Details

Local Administrator Additions

Local Admin Additions

Query

DeviceEvents
| where ActionType == "UserAccountAddedToLocalGroup"
| extend Details = parse_json(AdditionalFields)
| extend
    GroupName = tostring(Details.GroupName),
    GroupDomainName = tostring(Details.GroupDomainName),
    GroupSid = tostring(Details.GroupSid)
// Filter Local Administrators
| where GroupSid == "S-1-5-32-544"
| summarize LocalAdmins = make_set(AccountSid) by DeviceName
| extend TotalLocalAdmins = array_length(LocalAdmins)
| sort by TotalLocalAdmins

About this query

Local Administrator Additions

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1136.001Create Account: Local Accounthttps://attack.mitre.org/techniques/T1136/001/

Description

Adversaries may create a local accounts to maintain access to victim systems. This query lists all the locad admins that have been added in the seletect timeframe per device.

Risk

Local Admin accounts have high priviliges on and can should be limited.

References

Defender XDR

Sentinel

DeviceEvents
| where ActionType == "UserAccountAddedToLocalGroup"
| extend Details = parse_json(AdditionalFields)
| extend
    GroupName = tostring(Details.GroupName),
    GroupDomainName = tostring(Details.GroupDomainName),
    GroupSid = tostring(Details.GroupSid)
// Filter Local Administrators
| where GroupSid == "S-1-5-32-544"
| summarize LocalAdmins = make_set(AccountSid) by DeviceName
| extend TotalLocalAdmins = array_length(LocalAdmins)
| sort by TotalLocalAdmins

Explanation

This query is designed to identify and list all local administrator accounts that have been added to devices within a specified timeframe. It is relevant to security monitoring as it helps detect unauthorized or suspicious additions of high-privilege accounts, which could indicate potential security threats.

Here's a simple breakdown of what the query does:

  1. Data Source: It looks at events where a user account has been added to a local group on a device.

  2. Filter for Local Administrators: The query specifically filters these events to focus on accounts added to the "Local Administrators" group, identified by the security identifier (SID) "S-1-5-32-544".

  3. Summarize by Device: For each device, it compiles a list of all accounts that have been added as local administrators.

  4. Count and Sort: It calculates the total number of local administrator accounts per device and sorts the devices based on this count.

The purpose of the query is to help security teams quickly identify devices with potentially excessive or unauthorized local administrator accounts, which could pose a security risk.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceEvents

Keywords

DeviceEventsAccountGroupLocalAdministrators

Operators

whereextendparse_json()tostring()summarizemake_set()byarray_length()sort

MITRE Techniques

Actions

GitHub