Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

Commit f8094cc

Browse files
AntoineJoAntoineJo
authored
Create localAdminAccountLogon.txt
1 parent f113daa commit f8094cc

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

Persistence/localAdminAccountLogon.txt

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
//This query looks for local admin account used to logon into the computer
2+
//this can help to detect malicious insiders that were able to add a local account to the local admin group offline
3+
DeviceLogonEvents
4+
| where IsLocalAdmin == 1
5+
and AccountDomain == DeviceName

0 commit comments

Comments
 (0)