Title
#windows
l

Luke Wolfenden

02/24/2022, 3:32 PM
Hey, I'm looking to query AzureAD users that have local administrator rights to their local machine, it looks like this isn't possible as osquery will only report back the local users. Instead I thought we could target the windows event log for Security event ID 4732, however when running this against a machine it does not report back anything from the event log.
t

Tilman Bender

02/24/2022, 3:45 PM
Have you had a look at the logon_sessions table?
3:46 PM
Not sure logins using an AzreAD account would show up in there but it might be worth a try
l

Luke Wolfenden

02/24/2022, 3:47 PM
SELECT * FROM logon_sessions;
3:47 PM
shows the AzureAD accounts, but does not show what local groups they belong to
t

Tilman Bender

02/24/2022, 3:51 PM
hhmmm does it show a SID?
3:52 PM
I wrote a query just yesterday to detect local admins logged in interactively.
l

Luke Wolfenden

02/24/2022, 3:52 PM
yes, shows logon_sid, here are the full results
3:53 PM
ElonMusk is the logged on user that I'm trying to query
3:53 PM
for this particular device, but that would change depending on the device
t

Tilman Bender

02/24/2022, 3:54 PM
hang on I'll grab my query for local admin, maybe you can work from there
l

Luke Wolfenden

02/24/2022, 3:55 PM
woop, thanks
t

Tilman Bender

02/24/2022, 3:55 PM
SELECT * FROM logon_sessions
INNER JOIN users ON logon_sessions.logon_sid = users.uuid
WHERE logon_type='Interactive' AND gid=544;
3:56 PM
so this is for interactive logons for users whose gid matches 544 which seems to be the gid for the local Administrators group
l

Luke Wolfenden

02/24/2022, 4:00 PM
alright, I'll have a look 🙂
4:21 PM
doesn't work for AzureAD accounts, the gid doesn't correlate to the local gid's, possibly because it's not the primary gid. for example my one for ElonMusk is "2750818564".. it was worth a try though
4:21 PM
I think windows event logs might be able to help here, but it doesn't seem to be letting me query event logs by default on windows devices.
t

Tilman Bender

02/24/2022, 4:27 PM
Ah pity. EIther way. we learned sth. new 🙂