forked from SEVENP/Sentinel-Queries
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDevice-UserAddedasLocalAdmin.kql
39 lines (37 loc) · 1.42 KB
/
Device-UserAddedasLocalAdmin.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
//Detect when an admin adds another user to the local administrators group on a device and optionally query IdentityInfo to return the UPN of the user added
DeviceEvents
| where TimeGenerated > ago(7d)
| where ActionType == "UserAccountAddedToLocalGroup"
| where AdditionalFields.GroupName == "Administrators"
// Exclude processes initiated by system as this detection is for end users adding groups
| where InitiatingProcessAccountSid != "S-1-5-18"
| project
TimeGenerated,
DeviceName,
AccountSid,
Actor=InitiatingProcessAccountName
//Join query to IdentityInfo table to match the AccountSid
//if you do not use the IdentityInfo table remove everything below this line
| join kind=inner (
IdentityInfo
| where TimeGenerated > ago (21d)
| summarize arg_max (TimeGenerated, *) by AccountUPN)
on $left.AccountSid == $right.AccountSID
| project
TimeGenerated,
DeviceName,
['User Added']=AccountUPN,
['User Added Sid']=AccountSID,
Actor
//Use the below for the equivalent query in M365 advanced hunting
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == "UserAccountAddedToLocalGroup"
| where AdditionalFields contains "Administrator"
| where InitiatingProcessAccountSid != "S-1-5-18"
| project DeviceName, Actor=InitiatingProcessAccountName, AccountSid
| join kind=inner (
IdentityInfo
)
on $left.AccountSid==$right.OnPremSid
| project DeviceName, Actor, AccountSid, UserAdded=AccountUpn