Query Details

Hunt for Local Admins with the most RemoteInteractive logins

Local Admins With The Most Devices Accessed

Query

DeviceLogonEvents
| where IsLocalAdmin == "True"
| where LogonType == "RemoteInteractive"
| extend IsLocalLogon = tostring(todynamic(AdditionalFields).IsLocalLogon)
| summarize DevicesAccessed = make_set(DeviceName) by AccountName, AccountDomain
| extend TotalDevices = array_length(DevicesAccessed)
| sort by TotalDevices

About this query

Hunt for Local Admins with the most RemoteInteractive logins

Query Information

Description

Hunt for Local Admins with the most RemoteInteractive logins

References

Defender XDR

Sentinel

DeviceLogonEvents
| where IsLocalAdmin == "True"
| where LogonType == "RemoteInteractive"
| extend IsLocalLogon = tostring(todynamic(AdditionalFields).IsLocalLogon)
| summarize DevicesAccessed = make_set(DeviceName) by AccountName, AccountDomain
| extend TotalDevices = array_length(DevicesAccessed)
| sort by TotalDevices

Explanation

This query is designed to identify local administrators who have logged in remotely to the most devices. Here's a simple breakdown of what the query does:

  1. Data Source: It examines logon events from devices.

  2. Filter for Local Admins: It specifically looks at logon events where the user is a local administrator (IsLocalAdmin == "True").

  3. Remote Logins: It focuses on logins that are of the type "RemoteInteractive," which typically means remote desktop or similar remote access methods.

  4. Additional Information: It extracts additional fields to determine if the logon was local.

  5. Summarization: It groups the data by user account name and domain, collecting a list of devices each user has accessed.

  6. Count Devices: It calculates the total number of unique devices each user has accessed.

  7. Sorting: Finally, it sorts the results by the number of devices accessed, allowing you to see which local admins have accessed the most devices remotely.

This query helps in identifying potentially risky behavior by local admins who are accessing many devices remotely, which could be a sign of misuse or a security threat.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceLogonEvents

Keywords

DeviceLogonEventsLocalAdminsRemoteInteractiveLoginsAccountNameDomainDevicesAccessedTotal

Operators

whereextendtostringtodynamicsummarizemake_setbyarray_lengthsort

Actions

GitHub