Channels
#windows
Title
f
fritz
05/13/2020, 4:43 PMc
Chris Ray
05/13/2020, 8:06 PMI have looked at both, but I don't see the data I need in those tables/fields.
ntdomains provides a great source of domain related data, but nothing about who administers the domain.
user_groups seems like it needs to be joined with another table to provide the most use.
f
fritz
05/13/2020, 11:42 PMRight for user_groups you join against users to see all the groups a given user belongs to, eg:
Copy code
osquery> SELECT u.username, ug.gid FROM users u, user_groups ug USING (uid) WHERE uid = 502;
+------------+-----+
| username | gid |
+------------+-----+
| fritz-imac | 20 |
| fritz-imac | 12 |
| fritz-imac | 61 |
| fritz-imac | 79 |
| fritz-imac | 80 |
| fritz-imac | 81 |
| fritz-imac | 98 |
| fritz-imac | 702 |
| fritz-imac | 703 |
| fritz-imac | 33 |
| fritz-imac | 100 |
| fritz-imac | 204 |
| fritz-imac | 250 |
| fritz-imac | 395 |
| fritz-imac | 398 |
| fritz-imac | 399 |
| fritz-imac | 400 |
| fritz-imac | 701 |
+------------+-----+c
Chris Ray
05/14/2020, 1:57 PMahh! Briliant, thank you!
@fritz
I have changed the query to have a "WHERE ug.gid = 512"
512 = Domain Admins group, which on the dev server has one user in it, however when I query the user_groups table that gid does not show up
What could cause this?
I figured it out, domain admins are nested within gid 544 (Administrators group).
When selecting from user_groups you only see the parent containers, not the nested container membership
3 Views