Goal
Validate a local admin change is unauthorized and remove rogue admin access.When to use
- Alerts indicating local account creation or group membership changes
Prereqs
- Endpoint telemetry + identity context
Procedure (high level)
- Validate who/what created the account or modified the group
- Confirm whether change is approved
- Remove unauthorized accounts / admin group entries
- Capture evidence and update the case
Validation
- Rogue admin access removed
- No recurrence after monitoring window