Forum Discussion
Solved
Detection rule Admin Grant permission granted
Hello, i have to deploy a rule that detects when a local user has recieved admin rights (or was added to a admin local group) and then this account made a loggin. i have the tables that come from ...
Hey gpneira,
if I understand you correctly the query below should help you.First, it looks for 'UserAccountAddedToLocalGroup' and extends the necessary fields, especially AddedAccountSID . Then it joins this table with DeviceLogonEvents where AddedAccountSID == AddedAccountSID .
Please let me know if this worked for you.DeviceEvents | where ActionType == 'UserAccountAddedToLocalGroup' | extend AddedAccountSID = tostring(parse_json(AdditionalFields).MemberSid) | extend LocalGroup = AccountName | extend LocalGroupSID = AccountSid | extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName) | join DeviceLogonEvents on $right.AccountSid == $left.AddedAccountSID | where IsLocalAdmin == 1 and AdditionalFields1.IsLocalLogon == true | project Timestamp, DeviceName, LocalGroup,LocalGroupSID, AddedAccountSID, Actor, ActionType
Hello dnsrk
Thank you very much for your response, i have deployed this rule right now but i dont have the test computer yet, until 3rd week of augost..I will implement this rule and test it,
in addition im thinking about it and im wondering if its possible to also do it like: One local user created and admin permission granted to this account recently created. I think this is even simplier right?
Im learning KQL and seeing your structure makes me really understand how it works, thank you very much
Thank you very much for your response, i have deployed this rule right now but i dont have the test computer yet, until 3rd week of augost..I will implement this rule and test it,
in addition im thinking about it and im wondering if its possible to also do it like: One local user created and admin permission granted to this account recently created. I think this is even simplier right?
Im learning KQL and seeing your structure makes me really understand how it works, thank you very much
Hey, yes that's also possible to directly check the permissions.
Should look somehow like this. I do not have access to Sentinel to validate unfortunately:
DeviceEvents
| where ActionType == 'UserAccountAddedToLocalGroup'
| extend AddedAccountSID = tostring(parse_json(AdditionalFields).MemberSid)
| extend LocalGroup = AccountName
| extend LocalGroupSID = AccountSid
| extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName)
| where LocalGroupSID contains "S-1-5-32-544"
Should look somehow like this. I do not have access to Sentinel to validate unfortunately:
DeviceEvents
| where ActionType == 'UserAccountAddedToLocalGroup'
| extend AddedAccountSID = tostring(parse_json(AdditionalFields).MemberSid)
| extend LocalGroup = AccountName
| extend LocalGroupSID = AccountSid
| extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName)
| where LocalGroupSID contains "S-1-5-32-544"
- yes it gives the information pretty nice, but how can i know that this account is new? So we could need to know that user A has created the User B and granted permissions, because if i only see permissions granted, if we use laps, as we do, i got like 30000 per day.. how could i join this to the action "UserCreated" and then "UserAccountAddedToLocalGroup"? do i have to define a variable first in the consult user created and then look for it in user account added?
Hey gpneira sorry it took a while was off some days. First, you need to look up the newly created user for your period and then join it with the table we already have for local group membership.
let NewUsers = DeviceEvents | where ActionType contains "UserAccountCreated" | extend lUserAdded = AccountName | extend NewUserSID = AccountSid | extend laccountdomain = AccountDomain | distinct NewUserSID, lUserAdded,laccountdomain; DeviceEvents | where ActionType == 'UserAccountAddedToLocalGroup' | extend AddedAccountSID = tostring(parse_json(AdditionalFields).MemberSid) | extend LocalGroup = AccountName | extend LocalGroupSID = AccountSid | extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName) | join kind= leftouter (NewUsers) on $left.AddedAccountSID == $right.NewUserSID | project Timestamp, DeviceName, LocalGroup,LocalGroupSID, AddedAccountSID, lUserAdded , Actor, ActionType , laccountdomain | where LocalGroupSID contains "S-1-5-32-544"