KQL Search

Query Details

HomeAI ToolsDevice Query

Local Admin Additions

Query

# Local Administrator Additions

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1136.001 | Create Account: Local Account | https://attack.mitre.org/techniques/T1136/001/ |

#### Description
Adversaries may create a local accounts to maintain access to victim systems. This query lists all the locad admins that have been added in the seletect timeframe per device. 

#### Risk
Local Admin accounts have high priviliges on and can should be limited.

#### References
- https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#administrator

## Defender For Endpoint
```KQL
DeviceEvents
| where ActionType == "UserAccountAddedToLocalGroup"
| extend Details = parse_json(AdditionalFields)
| extend
    GroupName = tostring(Details.GroupName),
    GroupDomainName = tostring(Details.GroupDomainName),
    GroupSid = tostring(Details.GroupSid)
// Filter Local Administrators
| where GroupSid == "S-1-5-32-544"
| summarize LocalAdmins = make_set(AccountSid) by DeviceName
| extend TotalLocalAdmins = array_length(LocalAdmins)
| sort by TotalLocalAdmins
```
## Sentinel
```KQL
DeviceEvents
| where ActionType == "UserAccountAddedToLocalGroup"
| extend Details = parse_json(AdditionalFields)
| extend
    GroupName = tostring(Details.GroupName),
    GroupDomainName = tostring(Details.GroupDomainName),
    GroupSid = tostring(Details.GroupSid)
// Filter Local Administrators
| where GroupSid == "S-1-5-32-544"
| summarize LocalAdmins = make_set(AccountSid) by DeviceName
| extend TotalLocalAdmins = array_length(LocalAdmins)
| sort by TotalLocalAdmins
```

Explanation

This query is used to identify any local administrator accounts that have been added to devices within a specified timeframe. It filters for events where a user account has been added to the local administrators group and then summarizes the total number of local admin accounts per device. The query also includes a reference to the MITRE ATT&CK technique T1136.001, which involves the creation of local accounts for maintaining access to victim systems. The risk associated with local admin accounts is mentioned, emphasizing the need to limit their privileges. The query is provided in both Defender for Endpoint and Sentinel KQL syntax.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 30, 2023

Tables

DeviceEvents

Keywords

Devices,Intune,User

Operators

whereextendparse_jsontostringsummarizemake_setbysort

Actions