Local Administrator Additions
Local Admin Additions
Query
DeviceEvents
| where ActionType == "UserAccountAddedToLocalGroup"
| extend Details = parse_json(AdditionalFields)
| extend
GroupName = tostring(Details.GroupName),
GroupDomainName = tostring(Details.GroupDomainName),
GroupSid = tostring(Details.GroupSid)
// Filter Local Administrators
| where GroupSid == "S-1-5-32-544"
| summarize LocalAdmins = make_set(AccountSid) by DeviceName
| extend TotalLocalAdmins = array_length(LocalAdmins)
| sort by TotalLocalAdminsAbout this query
Local Administrator Additions
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1136.001 | Create Account: Local Account | https://attack.mitre.org/techniques/T1136/001/ |
Description
Adversaries may create a local accounts to maintain access to victim systems. This query lists all the locad admins that have been added in the seletect timeframe per device.
Risk
Local Admin accounts have high priviliges on and can should be limited.
References
Defender XDR
Sentinel
DeviceEvents
| where ActionType == "UserAccountAddedToLocalGroup"
| extend Details = parse_json(AdditionalFields)
| extend
GroupName = tostring(Details.GroupName),
GroupDomainName = tostring(Details.GroupDomainName),
GroupSid = tostring(Details.GroupSid)
// Filter Local Administrators
| where GroupSid == "S-1-5-32-544"
| summarize LocalAdmins = make_set(AccountSid) by DeviceName
| extend TotalLocalAdmins = array_length(LocalAdmins)
| sort by TotalLocalAdmins
Explanation
This query is designed to identify and list all local administrator accounts that have been added to devices within a specified timeframe. It is relevant to security monitoring as it helps detect unauthorized or suspicious additions of high-privilege accounts, which could indicate potential security threats.
Here's a simple breakdown of what the query does:
-
Data Source: It looks at events where a user account has been added to a local group on a device.
-
Filter for Local Administrators: The query specifically filters these events to focus on accounts added to the "Local Administrators" group, identified by the security identifier (SID) "S-1-5-32-544".
-
Summarize by Device: For each device, it compiles a list of all accounts that have been added as local administrators.
-
Count and Sort: It calculates the total number of local administrator accounts per device and sorts the devices based on this count.
The purpose of the query is to help security teams quickly identify devices with potentially excessive or unauthorized local administrator accounts, which could pose a security risk.
