Non-local logons using the -500 account indicate potential unauthorized access or lateral movement by an adversary exploiting a privileged account. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of critical system resources.
KQL Query
DeviceLogonEvents
| where AccountSid endswith '-500' and parse_json(AdditionalFields).IsLocalLogon != true
| join kind=leftanti IdentityLogonEvents on AccountSid // Remove the domain's built-in admin acccount
id: 435fead8-a25e-44be-9508-1985f8d724e6
name: Non-local logons with -500 account
description: |
Non-local logons with the built-in administrator (-500) account.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceLogonEvents
- IdentityLogonEvents
query: |
DeviceLogonEvents
| where AccountSid endswith '-500' and parse_json(AdditionalFields).IsLocalLogon != true
| join kind=leftanti IdentityLogonEvents on AccountSid // Remove the domain's built-in admin acccount
| Sentinel Table | Notes |
|---|---|
DeviceLogonEvents | Ensure this data connector is enabled |
IdentityLogonEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using the built-in Administrator account to perform routine maintenance on a server.
Filter/Exclusion: Exclude logon events where the source is the local management workstation (e.g., ComputerName = "Mgmt-Server-01").
Scenario: A scheduled task is configured to run under the built-in Administrator account to perform system backups.
Filter/Exclusion: Exclude logon events where the event is associated with a scheduled task (e.g., EventID = 41 and TaskName = "Backup-Task").
Scenario: A third-party tool, such as Microsoft System Center Configuration Manager (SCCM), is using the built-in Administrator account to push updates to managed endpoints.
Filter/Exclusion: Exclude logon events where the source is the SCCM server (e.g., ComputerName = "SCCM-Server").
Scenario: A user is using Remote Desktop Services (RDS) to connect to a server and the built-in Administrator account is used as the target for the session.
Filter/Exclusion: Exclude logon events where the logon type is Remote Desktop (e.g., LogonType = 10).
Scenario: A script or automation tool, such as PowerShell or Ansible, is executing under the built-in Administrator account to configure system settings.
Filter/Exclusion: Exclude logon events where the event is associated with a known automation tool (e.g., EventID = 4624 and ProcessName = "powershell.exe" or ProcessName = "ansible.exe").