Hunting for admin sign-ins

By Gianni Castaldi

Today’s blog post will be a short one about hunting for admin sign ins. We all remember the moment when we had to hunt to find who was admin and on which system. Today we will create a query to hunt for these in 3 steps.

  1. Create a list of device IDs and their type.

We will recognize domain controllers, by their network activity on port 88. And servers by their OSPlatform, but we will exclude the domain controllers by their RegistryDeviceTag. For the workstations, we will only use the OSPlatform

let DC = DeviceNetworkEvents
| where LocalPort == "88"
| distinct DeviceId
| extend Type = "DomainController"
let SVR = DeviceInfo
| where OSPlatform in ("WindowsServer2008R2","WindowsServer2019","WindowsServer2016","WindowsServer2012R2") and RegistryDeviceTag !contains "Domain Controllers"
| distinct DeviceId
| extend Type = "Server"
let WKS = DeviceInfo
| where OSPlatform in ("Windows10","Windows7","Windows8Blue")
| distinct DeviceId
| extend Type = "Workstation"
let OSTypes =
union DC, SVR, WKS
  1. Get all local sign-ins from accounts with admin permissions

To do this we query the DeviceLogonEvents table and parse the AdditionalFields for the IsLocalLogon value. We will also filter the IsLocalAdmin value. After that, we will project the items we need and use the summarize operator to filter out any duplicates.

| where Timestamp > ago(1d)
| extend AF = parse_json(AdditionalFields)
| where IsLocalAdmin == 1 and AF.IsLocalLogon == "true" 
| project Timestamp, DeviceName, DeviceId, AccountDomain, AccountName
| summarize LastObserved = max(Timestamp) by DeviceName, DeviceId, AccountDomain, AccountName
  1. Join OSTypes and Logons

The last step is joining the 2 queries. The final result is available on GitHub.

Thanks for reading and if you have any questions or ideas for a blog post let me know.

Alternative Text

By Gianni Castaldi

MVP | NinjaCat | Researching and Engineering Cyber Security @ KustoWorks

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.