KQL Search

Query Details

HomeAI ToolsDevice Query

TH Use Of Administrator Account

Query

# Use of Administrator Account

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1078.002 | Valid Accounts: Domain Accounts | https://attack.mitre.org/techniques/T1078/002  |
| T1078.001 | Valid Accounts: Default Accounts | https://attack.mitre.org/techniques/T1078/001 | 

### Description

Use the below query to identify logon events with the Administrator account.

#### References

- [Securing Built-in Administrator Accounts in Active Directory](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory)
- [Local Accounts](https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts)

### Microsoft 365 Defender

```kql
DeviceLogonEvents
| where AccountSid endswith "-500"
| extend AccountType = iff(AccountDomain =~ DeviceName, "LocalAdmin", "DomainAdmin")
| project Timestamp, DeviceName, AccountName, AccountDomain, AccountSid, AccountType, LogonType
| sort by Timestamp desc
| summarize TotalLogons = count() by DeviceName, AccountName, AccountDomain, AccountSid, AccountType, LogonType
```

Explanation

This query is designed to identify and analyze logon events involving the Administrator account in a network. Here's a simple breakdown of what it does:

  1. Data Source: It looks at logon events from devices, specifically focusing on accounts with a Security Identifier (SID) ending in "-500", which typically represents the built-in Administrator account.

  2. Account Type Identification: It determines whether the logon was performed using a local administrator account or a domain administrator account. This is done by comparing the account domain with the device name.

  3. Data Selection: The query selects key information from each logon event, including the timestamp, device name, account name, account domain, account SID, account type, and logon type.

  4. Sorting and Summarization: The results are sorted by the timestamp in descending order to show the most recent logons first. It then summarizes the data by counting the total number of logons for each unique combination of device, account, and logon type.

This query helps in monitoring and auditing the use of Administrator accounts, which is crucial for security purposes, as these accounts have elevated privileges and can be targets for unauthorized access.

Details

Alex Verboon profile picture

Alex Verboon

Released: August 29, 2025

Tables

DeviceLogonEvents

Keywords

DeviceLogonEventsDeviceNameAccountNameAccountDomainAccountSidAccountTypeLogonTypeTimestamp

Operators

endswithextendiffprojectsort bysummarizecountwhere

Actions