Hunting for admin sign-ins
By Gianni Castaldi
Today’s blog post will be a short one about hunting for admin sign ins. We all remember the moment when we had to hunt to find who was admin and on which system. Today we will create a query to hunt for these in 3 steps.
- Create a list of device IDs and their type.
We will recognize domain controllers, by their network activity on port 88. And servers by their OSPlatform, but we will exclude the domain controllers by their RegistryDeviceTag. For the workstations, we will only use the OSPlatform
let DC = DeviceNetworkEvents | where LocalPort == "88" | distinct DeviceId | extend Type = "DomainController" ; let SVR = DeviceInfo | where OSPlatform in ("WindowsServer2008R2","WindowsServer2019","WindowsServer2016","WindowsServer2012R2") and RegistryDeviceTag !contains "Domain Controllers" | distinct DeviceId | extend Type = "Server" ; let WKS = DeviceInfo | where OSPlatform in ("Windows10","Windows7","Windows8Blue") | distinct DeviceId | extend Type = "Workstation" ; let OSTypes = union DC, SVR, WKS
- Get all local sign-ins from accounts with admin permissions
To do this we query the DeviceLogonEvents table and parse the AdditionalFields for the IsLocalLogon value. We will also filter the IsLocalAdmin value. After that, we will project the items we need and use the summarize operator to filter out any duplicates.
DeviceLogonEvents | where Timestamp > ago(1d) | extend AF = parse_json(AdditionalFields) | where IsLocalAdmin == 1 and AF.IsLocalLogon == "true" | project Timestamp, DeviceName, DeviceId, AccountDomain, AccountName | summarize LastObserved = max(Timestamp) by DeviceName, DeviceId, AccountDomain, AccountName
- Join OSTypes and Logons
The last step is joining the 2 queries. The final result is available on GitHub.
Thanks for reading and if you have any questions or ideas for a blog post let me know.