Local Group Created
Local Group Creation
Query
let AllDomainControllers =
DeviceNetworkEvents
| where LocalPort == 88
| where LocalIPType == "FourToSixMapping"
| summarize make_set(DeviceId);
DeviceEvents
| where ActionType == "SecurityGroupCreated"
| where not(DeviceId in (AllDomainControllers))
| extend Details = parse_json(AdditionalFields)
| extend
GroupName = tostring(Details.GroupName),
GroupDomainName = tostring(Details.GroupDomainName),
GroupSid = tostring(Details.GroupSid)
| join kind=inner (DeviceInfo
| where Timestamp > ago(30d)
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceId, OSPlatform, DeviceType)
on DeviceId
| project Timestamp, DeviceId, DeviceName, GroupName, GroupDomainName, GroupSid, OSPlatform, DeviceType, ReportIdAbout this query
Explanation
This query is designed to identify and list all local security groups that have been created on devices, excluding those created on domain controllers. Here's a simplified breakdown of what the query does:
-
Identify Domain Controllers:
- The query first identifies all domain controllers by looking at network events where the local port is 88 (commonly used for Kerberos authentication) and the IP type indicates a specific mapping. It collects the device IDs of these domain controllers.
-
Filter Security Group Creation Events:
- It then looks for events where a security group has been created (
ActionType == "SecurityGroupCreated"). - It excludes any group creation events that occurred on the identified domain controllers.
- It then looks for events where a security group has been created (
-
Extract Group Details:
- For each security group creation event, it extracts details such as the group name, domain name, and security identifier (SID) from additional fields in the event data.
-
Join with Device Information:
- The query joins these events with device information to get additional context, such as the operating system platform and device type, for each device where a group was created. This information is filtered to include only the most recent data from the last 30 days.
-
Output:
- Finally, it outputs a list of relevant details including the timestamp of the event, device ID, device name, group name, group domain name, group SID, OS platform, device type, and a report ID.
The purpose of this query is to monitor for potentially suspicious activity where local groups are created to bypass Active Directory group policies and security measures.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
DeviceNetworkEventsDeviceEventsDeviceInfo
Keywords
LocalGroupsSecurityGroupDomainControllersDevices
Operators
let|where==summarizemake_setnotinextendparse_jsontostringjoinkind=inner>agoarg_maxbyproject