Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

Commit f18404b

Browse files
author
Alex Verboon
committed
added query for local admin groups
1 parent ba13711 commit f18404b

File tree

1 file changed

+37
-0
lines changed

1 file changed

+37
-0
lines changed

Persistence/LocalAdminGroupChanges.txt

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
// Author: alex verboon @alexverboon
2+
// Blogpost: https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes/
3+
4+
5+
let ADAZUsers = IdentityInfo
6+
| extend DirectoryDomain = AccountDomain
7+
| extend DirectoryAccount = AccountName
8+
| distinct DirectoryDomain , DirectoryAccount , OnPremSid , CloudSid, AccountUpn, GivenName, Surname;
9+
// check for any new created or modified local accounts
10+
let NewUsers = DeviceEvents
11+
| where ActionType contains "UserAccountCreated" // or ActionType contains "UserAccountModified"
12+
| extend lUserAdded = AccountName
13+
| extend NewUserSID = AccountSid
14+
| extend laccountdomain = AccountDomain
15+
| distinct NewUserSID, lUserAdded,laccountdomain;
16+
// Check for any local group changes and enrich the data with the account name obtained from the previous query
17+
DeviceEvents
18+
| where ActionType == 'UserAccountAddedToLocalGroup'
19+
| extend AddedAccountSID = tostring(parse_json(AdditionalFields).MemberSid)
20+
| extend LocalGroup = AccountName
21+
| extend LocalGroupSID = AccountSid
22+
| extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName)
23+
| join kind= leftouter (NewUsers)
24+
on $left.AddedAccountSID == $right.NewUserSID
25+
| project Timestamp, DeviceName, LocalGroup,LocalGroupSID, AddedAccountSID, lUserAdded , Actor, ActionType , laccountdomain
26+
// limit to local administrators group
27+
// | where LocalGroupSID contains "S-1-5-32-544"
28+
| join kind= leftouter (ADAZUsers)
29+
on $left.AddedAccountSID == $right.OnPremSid
30+
| extend UserAdded = iff(isnotempty(lUserAdded),strcat(laccountdomain,"\\", lUserAdded), strcat(DirectoryDomain,"\\", DirectoryAccount))
31+
| project Timestamp, DeviceName, LocalGroup,LocalGroupSID, AddedAccountSID, UserAdded , Actor, ActionType
32+
| where DeviceName !contains Actor
33+
// Provide details on actors that added users
34+
// | summarize count() by Actor
35+
// | join ADAZUsers
36+
// on $left.Actor == $right.DirectoryAccount
37+
// | render piechart

0 commit comments

Comments
 (0)