localAdminAccountLogon | SOC Hunt Feed

Hunt Hypothesis

A malicious insider may have added a local admin account to gain elevated privileges and access sensitive systems. SOC teams should proactively hunt for this behavior to identify potential insider threats and unauthorized access in their Azure Sentinel environment.

KQL Query

DeviceLogonEvents
| where IsLocalAdmin == 1
 and AccountDomain == DeviceName

Analytic Rule Definition

id: 2211b57b-7d13-435d-89a9-40f333249605
name: localAdminAccountLogon
description: |
  This query looks for local admin account used to logon into the computer.
  This can help to detect malicious insiders that were able to add a local account to the local admin group offline.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceLogonEvents
query: |
  DeviceLogonEvents
  | where IsLocalAdmin == 1
   and AccountDomain == DeviceName

Required Data Sources

Sentinel Table	Notes
`DeviceLogonEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Persistence/localAdminAccountLogon.yaml)

False Positive Guidance

Scenario: Scheduled Job Running as Local Admin
Description: A legitimate scheduled job (e.g., Task Scheduler task) is configured to run under a local admin account to perform system maintenance.
Filter/Exclusion: Check for EventID 41 (Task Scheduler) with TaskName matching known maintenance tasks or filter by Source such as Task Scheduler.
Scenario: System Update via Group Policy
Description: A local admin account is used to apply system updates or configuration changes via Group Policy or PowerShell scripts.
Filter/Exclusion: Filter by EventID 6008 (System crash dump) or EventID 6006 (Event Log service start), or check for CommandLine containing known update tools like wuauclt.exe or gpupdate.exe.
Scenario: Local Admin Used for Software Installation
Description: A local admin account is used to install software or drivers, which is a common practice in enterprise environments.
Filter/Exclusion: Filter by CommandLine containing known installers (e.g., msiexec.exe, setup.exe) or check for EventID 6008 (system reboot) following installation.
Scenario: Remote Desktop Services (RDS) Logon
Description: A local admin account is used to log on via Remote Desktop Services (RDS) for remote administration.
Filter/Exclusion: Filter by EventID 4624 with LogonType 10 (Interactive) or check for LogonServer containing RDP-Tcp or tscon.exe.
Scenario: Local Admin Account Used for Backup Tasks
Description: A local admin account is used to run backup jobs (e.g., Veeam,