Forum Discussion

gpneira's avatar
gpneira
Copper Contributor
Jul 20, 2023
Solved

Detection rule Admin Grant permission granted

Hello,  i have to deploy a rule that detects when a local user has recieved admin rights (or was added to a admin local group) and then this account made a loggin. i have the tables that come from ...
alerts
  • dnsrk's avatar
    dnsrk
    Jul 23, 2023

    Hey gpneira
    if I understand you correctly the query below should help you. 

    First, it looks for 'UserAccountAddedToLocalGroup' and extends the necessary fields, especially AddedAccountSID  . Then it joins this table with DeviceLogonEvents where AddedAccountSID == AddedAccountSID . 

    Please let me know if this worked for you. 

    DeviceEvents 
| where ActionType == 'UserAccountAddedToLocalGroup' 
| extend AddedAccountSID = tostring(parse_json(AdditionalFields).MemberSid)
| extend LocalGroup = AccountName
| extend LocalGroupSID = AccountSid
| extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName)
| join DeviceLogonEvents on $right.AccountSid == $left.AddedAccountSID
| where IsLocalAdmin == 1 and AdditionalFields1.IsLocalLogon == true
| project Timestamp, DeviceName, LocalGroup,LocalGroupSID, AddedAccountSID, Actor, ActionType

     

  • R3al3ztthevilin's avatar
    R3al3ztthevilin
    Copper Contributor
    Jul 28, 2023
    To apply
  • gpneira's avatar
    gpneira
    Copper Contributor
    Jul 28, 2023
    how what sorry?