Local Group Enumeration in MDE?

%3CLINGO-SUB%20id%3D%22lingo-sub-2273318%22%20slang%3D%22en-US%22%3ELocal%20Group%20Enumeration%20in%20MDE%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2273318%22%20slang%3D%22en-US%22%3E%3CP%3EWondering%20if%20it%20is%20possible%20to%20enumerate%20local%20group%20membership%20(Administrators%2C%20Remote%20Desktop%20Admins%20etc.)%20via%20Defender%20for%20Endpoint.%26nbsp%3B%20If%20not%20directly%2C%20perhaps%20there%20is%20a%20way%20via%20Advanced%20Hunting%3F%3C%2FP%3E%3CP%3EI%20did%20a%20quick%20look%20but%20did%20not%20find%20anything%20obvious.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKevin%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Wondering if it is possible to enumerate local group membership (Administrators, Remote Desktop Admins etc.) via Defender for Endpoint.  If not directly, perhaps there is a way via Advanced Hunting?

I did a quick look but did not find anything obvious.

 

Thanks in advance,

 

Kevin

1 Reply
Hi Kevin, unfortunately MDE does not currently have the capacity to do this. One option could be to write a custom PowerShell script that works with Live Response.