Skip to content

Latest commit

 

History

History
49 lines (42 loc) · 1.62 KB

LocalAdminAdditions.md

File metadata and controls

49 lines (42 loc) · 1.62 KB
Raw

Local Administrator Additions

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1136.001 Create Account: Local Account https://attack.mitre.org/techniques/T1136/001/

Description

Adversaries may create a local accounts to maintain access to victim systems. This query lists all the locad admins that have been added in the seletect timeframe per device.

Risk

Local Admin accounts have high priviliges on and can should be limited.

References

Defender For Endpoint

DeviceEvents
| where ActionType == "UserAccountAddedToLocalGroup"
| extend Details = parse_json(AdditionalFields)
| extend
    GroupName = tostring(Details.GroupName),
    GroupDomainName = tostring(Details.GroupDomainName),
    GroupSid = tostring(Details.GroupSid)
// Filter Local Administrators
| where GroupSid == "S-1-5-32-544"
| summarize LocalAdmins = make_set(AccountSid) by DeviceName
| extend TotalLocalAdmins = array_length(LocalAdmins)
| sort by TotalLocalAdmins

Sentinel

DeviceEvents
| where ActionType == "UserAccountAddedToLocalGroup"
| extend Details = parse_json(AdditionalFields)
| extend
    GroupName = tostring(Details.GroupName),
    GroupDomainName = tostring(Details.GroupDomainName),
    GroupSid = tostring(Details.GroupSid)
// Filter Local Administrators
| where GroupSid == "S-1-5-32-544"
| summarize LocalAdmins = make_set(AccountSid) by DeviceName
| extend TotalLocalAdmins = array_length(LocalAdmins)
| sort by TotalLocalAdmins