https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
f

fritz

12/01/2021, 4:18 PM
@Mayan as @zwass mentioned you will want to query against the 
users
and 
user_groups
tables. For example if you wanted to find users who belonged to the administrator group on macOS you would run something like:
Copy code
SELECT 
  u.uid, 
  u.username, 
  ug.gid, 
  g.groupname
FROM users u
JOIN user_groups ug USING(uid)
JOIN groups g ON ug.gid = g.gid
WHERE g.groupname = 'admin';

+-----+-----------------+-----+-----------+
| uid | username        | gid | groupname |
+-----+-----------------+-----+-----------+
| 502 | fritz           | 80  | admin     |
| 501 | kolide-imac-pro | 80  | admin     |
| 0   | root            | 80  | admin     |
+-----+-----------------+-----+-----------+
🤩 2
m

Mayan

12/01/2021, 4:21 PM
Thank you kind sir.
3 Views
Powered by