🛡️ Defending the Local Castle: Catching Local Admin Creation via Defender XDR (KQL)

🛡️ Defending the Local Castle: Catching Local Admin Creation via Defender XDR (KQL)

Attackers love persistence, and one of the oldest tricks in the book is creating a stealthy local administrator account. If an adversary gains a foothold, they might try to bypass centralized logging by using the local user management GUI (lusrmgr.msc), running native CLI tools (net.exe), or leveraging existing active sessions.

To keep your perimeter secure, here is a comprehensive detection strategy using Microsoft Defender XDR KQL queries to cover these exact execution vectors

The GUI Approach: lusrmgr.msc via LAPS User#

Attackers often try to hide in plain sight by using the Local Users and Groups GUI (lusrmgr.msc) while logged into a LAPS or local account to elevate privileges. This query flags instances where the local management console is spun up by a standard or specific local user account to manipulate group memberships.

Terminal window
// Detection for creating local admin via lusrmgr GUI
DeviceProcessEvents
| where InitiatingProcessCommandLine has "lusrmgr.msc"
| where AccountName == "user" // Customize this to target specific local/LAPS sync accounts
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, FolderPath

The Command-Line Approach: net.exe / net1.exe#

The classic net localgroup administrators /add command is still heavily utilized by automated malware, ransomware scripts, and hands-on-keyboard attackers.

This query monitors the command line for local administrator additions, filters out common false positives (like OpenVPN or Oracle DBA setups), and correlates the action with DeviceLogonEvents to show you exactly how the user logged in (e.g., interactive, network, or service).

Terminal window
// Detection for local admin creation via Command Line Interface (CLI)
DeviceProcessEvents
| where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has "localgroup" and ProcessCommandLine has "/add" and ProcessCommandLine has "admin"
// Exclusions for known administrative tools/software
| where ProcessCommandLine !contains "ora_dba"
| where ProcessCommandLine !contains "OpenVPN Administrators"
// Enforce a leftouter join to append rich logon context
| join kind=leftouter (
DeviceLogonEvents
| project LogonId, ActionType, LogonType, Protocol, RemoteIP, AdditionalFields
) on LogonId
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, LogonType, RemoteIP

The Session Approach: Audit Log & Group Modification Tracking#

If an attacker uses alternative API calls or creates a user over an RDP session, process command lines might not catch it. This query looks directly at the security event logs (DeviceEvents) for the actual UserAccountCreated and UserAccountAddedToLocalGroup actions.

It targets instances where a non-system account (filtering out computer accounts ending in $) adds someone to the Administrators group, excluding known, trusted admin accounts.

Terminal window
// Detection for local admin creation via Group Modification (RDP/API)
DeviceEvents
| where ActionType in~ ('UserAccountAddedToLocalGroup', 'UserAccountCreated')
// Global environment exclusions
| where not(DeviceName has "nhif.bg")
| where not(AccountName has "lenovo_tmp")
| where not(InitiatingProcessAccountName endswith "$") // Exclude system/machine accounts
| where not(InitiatingProcessAccountName has_any ("adm-s.toshev", "administrator"))
// Inner join to specifically isolate additions to the "Administrators" group
| join kind=inner (
DeviceEvents
| where ActionType == 'UserAccountAddedToLocalGroup'
| where AdditionalFields has "\"GroupName\":\"Administrators\""
| project DeviceName, TargetLocalAdminGroup = AdditionalFields
) on DeviceName
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ActionType, AccountName, TargetLocalAdminGroup

💡 Blue Team Takeaway#

By combining process command line analysis with system event auditing, you effectively close the visibility gap. Whether an attacker tries to use the Windows GUI, native command-line binaries, or API modifications, these queries ensure your SOC gets an alert the moment a new shadow admin is born.

License

CC BY-NC-SA 4.0 This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Related Posts