Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
f
fritz
05/13/2020, 4:43 PMc
Chris Ray
05/13/2020, 8:06 PMI have looked at both, but I don't see the data I need in those tables/fields.
ntdomains provides a great source of domain related data, but nothing about who administers the domain.
user_groups seems like it needs to be joined with another table to provide the most use.
f
fritz
05/13/2020, 11:42 PMRight for user_groups you join against users to see all the groups a given user belongs to, eg:
osquery> SELECT u.username, ug.gid FROM users u, user_groups ug USING (uid) WHERE uid = 502;
+------------+-----+
| username | gid |
+------------+-----+
| fritz-imac | 20 |
| fritz-imac | 12 |
| fritz-imac | 61 |
| fritz-imac | 79 |
| fritz-imac | 80 |
| fritz-imac | 81 |
| fritz-imac | 98 |
| fritz-imac | 702 |
| fritz-imac | 703 |
| fritz-imac | 33 |
| fritz-imac | 100 |
| fritz-imac | 204 |
| fritz-imac | 250 |
| fritz-imac | 395 |
| fritz-imac | 398 |
| fritz-imac | 399 |
| fritz-imac | 400 |
| fritz-imac | 701 |
+------------+-----+c
Chris Ray
05/14/2020, 1:57 PMahh! Briliant, thank you!
@fritz
I have changed the query to have a "WHERE ug.gid = 512"
512 = Domain Admins group, which on the dev server has one user in it, however when I query the user_groups table that gid does not show up
What could cause this?
I figured it out, domain admins are nested within gid 544 (Administrators group).
When selecting from user_groups you only see the parent containers, not the nested container membership