Dashboard Query: Local Admin Accounts

Document created by Spencer Engleson Employee on Oct 28, 2016Last modified by Spencer Engleson Employee on Oct 28, 2016
Version 2Show Document
  • View in full screen mode

These queries look at the use of local administrator accounts, including first-time remote access to admin accounts.

 

Log Set: Asset Authentication

Event Sources: Endpoint Monitor/Endpoint Agent and Active Directory

 

Local Administrator Authentications

This query identifies all assets with local administrator authentications.  The subsequent queries will refine the results from this search by adding logical operators:

 

     where(destination_account="administrator" AND destination_user="administrator") groupby(destination_asset)

 

 

 

Successful/Failed Local Administrator Authentications

By adding another AND operator, we can restrict results to successful or failed authentications.  As there are various ways an authentication can fail, for unsuccessful auths, we can use !="SUCCESS" to include all results.  As before, grouping by the destination_asset value will show counts for each asset that has experienced a successful/failed local admin authentication:

 

Successful Local Administrator Authentications:

     where(destination_account="administrator" AND destination_user="administrator" AND result="SUCCESS") groupby(destination_asset)

 

Unsuccessful Local Administrator Authentications:

     where(destination_account="administrator" AND destination_user="administrator" AND result!="SUCCESS") groupby(destination_asset)

 

Successful Remote Local Administrator Authentications

Once again, by adding a logical AND operator, we can narrow focus to remote authentications.  This query will show all assets that have experienced a remote authentication to an administrator account.

 

     where(destination_account="administrator" AND destination_user="administrator" AND result="SUCCESS" AND logon_type="REMOTE") groupby(destination_asset)


 

 

New Source Asset for Local Administrator Authentications

This query utilizes the new_source fact to identify local administrator authentications originating from a new source asset.

 

     where(destination_account="administrator" AND destination_user="administrator" AND result="SUCCESS" AND logon_type="REMOTE" AND new_source_authentication="true") calculate(count)

 

 

I like the Count visualization option for this query as it is a quick way to see how many new sources have been used in the set time frame.  You can then Go To Logs to see details for each authentication.

Attachments

    Outcomes