Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

List User Account Added To Administrators Group

Wayne Andes 5 min read

Description

Adversaries may create local accounts to maintain access to victim systems. This KQL query lists all the local admins that have been added in the selected time frame per device.

Risk

Local Admin accounts have high privileges on and can should be limited.

Query

Microsoft Defender For Endpoint
Kusto
DeviceEvents
| where ActionType == "UserAccountAddedToLocalGroup"
| extend Details = parse_json(AdditionalFields)
| extend
    GroupName = tostring(Details.GroupName),
    GroupDomainName = tostring(Details.GroupDomainName),
    GroupSid = tostring(Details.GroupSid)
// Filter Local Administrators
| where GroupSid == "S-1-5-32-544"
| summarize LocalAdmins = make_set(AccountSid) by DeviceName
| extend TotalLocalAdmins = array_length(LocalAdmins)
| sort by TotalLocalAdmins

Microsoft Sentinel
Kusto
DeviceEvents
| where ActionType == "UserAccountAddedToLocalGroup"
| extend Details = parse_json(AdditionalFields)
| extend
    GroupName = tostring(Details.GroupName),
    GroupDomainName = tostring(Details.GroupDomainName),
    GroupSid = tostring(Details.GroupSid)
// Filter Local Administrators
| where GroupSid == "S-1-5-32-544"
| summarize LocalAdmins = make_set(AccountSid) by DeviceName
| extend TotalLocalAdmins = array_length(LocalAdmins)
| sort by TotalLocalAdmins

References

You May Also Like

List New UserAgent Used Based On SigninLogs

Wayne Andes

Detect Anomalous Group Policy Discovery

Wayne Andes

List Potential Kerberos Encryption Downgrade

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *