Use Exposure Management To Chart User Groups With Local Admin Privileges
Query
//let PriveledgedGroups = dynamic(['', '', '' ]); // Add User Groups that are legitemately allowed to have local admin priveledges on devices
ExposureGraphEdges
| where EdgeLabel == @"can authenticate to"
| where SourceNodeLabel == @"group"
//| where SourceNodeName !in~ (PriveledgedGroups)
| where parse_json(EdgeProperties).rawData.userRightsOnDevice.isLocalAdmin == 'true'
| summarize by SourceNodeName, TargetNodeNameAbout this query
Use Exposure Management to chart User Groups with Local Admin privileges
Description
Exposure Management offers the capacity to build a map of User Groups that have Local Admin rights on your devices. This could allow identify misconfigurations on privileges assigned to User Groups. You may choose to opt out spcific User Groups which are expected to have local admnin privileges.
Microsoft Defender XDR
MITRE ATT&CK Mapping
- Tactic: Persistence
- Technique ID: T1098
- Account Manipulation
Source
- Exposure Management
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 23/08/2024 | Initial publish |
Explanation
This query is designed to identify user groups that have local admin privileges on devices using Microsoft Defender XDR's Exposure Management. Here's a simplified breakdown:
- Objective: To map out user groups with local admin rights on devices, helping to spot any misconfigurations in privilege assignments.
- Optional Filtering: You can exclude specific user groups that are expected to have local admin privileges.
- Query Steps:
- Look at edges in the exposure graph where the relationship is "can authenticate to".
- Focus on edges where the source node is a user group.
- Optionally, exclude groups that are legitimately allowed to have local admin rights.
- Check if the user group has local admin rights on the target device.
- Summarize the results by the names of the source (user group) and target (device).
MITRE ATT&CK Mapping
- Tactic: Persistence
- Technique ID: T1098 (Account Manipulation)
Versioning
- Version 1.0: Published on 23/08/2024
This query helps in identifying potential security risks by highlighting user groups with elevated privileges that might not be properly configured.
