KQL Search

Query Details

HomeAI ToolsDevice Query

Use Exposure Management To Chart User Groups With Local Admin Privileges

Query

# Use Exposure Management to chart User Groups with Local Admin privileges

### Description

Exposure Management offers the capacity to build a map of User Groups that have Local Admin rights on your devices. This could allow identify misconfigurations on privileges assigned to User Groups. You may choose to opt out spcific User Groups which are expected to have local admnin privileges.

### Microsoft Defender XDR
```
//let PriveledgedGroups = dynamic(['', '', '' ]); // Add User Groups that are legitemately allowed to have local admin priveledges on devices
ExposureGraphEdges
| where EdgeLabel == @"can authenticate to"
| where SourceNodeLabel == @"group"
//| where SourceNodeName !in~ (PriveledgedGroups)
| where parse_json(EdgeProperties).rawData.userRightsOnDevice.isLocalAdmin == 'true'
| summarize by SourceNodeName, TargetNodeName
```

### MITRE ATT&CK Mapping
- Tactic: Persistence
- Technique ID: T1098
- [Account Manipulation](https://attack.mitre.org/techniques/T1098/)

### Source
- Exposure Management

### Versioning
| Version       | Date          | Comments                          |
| ------------- |---------------| ----------------------------------|
| 1.0           | 23/08/2024    | Initial publish                   |

Explanation

This query is designed to identify user groups that have local admin privileges on devices using Microsoft Defender XDR's Exposure Management. Here's a simplified breakdown:

  1. Objective: To map out user groups with local admin rights on devices, helping to spot any misconfigurations in privilege assignments.
  2. Optional Filtering: You can exclude specific user groups that are expected to have local admin privileges.
  3. Query Steps:
    • Look at edges in the exposure graph where the relationship is "can authenticate to".
    • Focus on edges where the source node is a user group.
    • Optionally, exclude groups that are legitimately allowed to have local admin rights.
    • Check if the user group has local admin rights on the target device.
    • Summarize the results by the names of the source (user group) and target (device).

MITRE ATT&CK Mapping

  • Tactic: Persistence
  • Technique ID: T1098 (Account Manipulation)

Versioning

  • Version 1.0: Published on 23/08/2024

This query helps in identifying potential security risks by highlighting user groups with elevated privileges that might not be properly configured.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 23, 2024

Tables

ExposureGraphEdges

Keywords

DevicesUserGroupsPrivilegesLocalAdminRightsMisconfigurationsMicrosoftDefenderXDRExposureManagementPersistenceAccountManipulation

Operators

letdynamicsummarizebywhereparse_json

Actions