Note: I have updated the kql queries below, but the screenshots itself still refer to the previous (old) schema names
If you’re among those administrators that use Microsoft Defender Advanced Threat Protection, here’s a handy tip how to find out who’s logging on with local administrators’ rights. But first when would you want to run this? Well here are some scenarios I can think of:
- You want to find users that have local administrator rights on their devices.
- You introduced LAPS and instructed your IT support to no longer use their own credentials but use the LAPS Administrator and password. (here’s a great article why you should do so. Remote Use of Local Accounts: LAPS Changes Everything
- You’re proactively looking for suspicious behaviour
Or if you want to get more details about the computer and how they logged on (Remote Interactive, Interactive or via the network such as with PowerShell) simply comment out the summarize line in the kusto query code.
Yes I know screenshots with code aren’t cool, so here again to copy paste:
// Uses that logon with local admin rights summary
|// users that logon on with Local Admin rights – detailed