List user accounts
SCHEMA
| description | string | Plugin description text |
| directory | string | User's home directory |
| gid | long | Group ID (unsigned) of the user running the process |
| shell | string | User's configured default shell |
| type | string | Type of the registry value |
| uid | long | The local user that owns the plugin |
| username | string | Username |
| uuid | string | User's UUID (Apple) or SID (Windows) |
-- user_accounts INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, description, directory, gid, shell, type, uid, username, uuid, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'user_accounts'
RESULTS
+-----------------+-------------------+---------------+-------------------------------------------------------------------------------------------------+---------------------------------------------+-------+-----------------------------+---------+-------+--------------------+------------------------------------------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------+ | meta_hostname | meta_ip_address | query_name | description | directory | gid | shell | type | uid | username | uuid | meta_boot_time | meta_eid | meta_endpoint_type | meta_ip_mask | meta_mac_address | meta_os_name | meta_os_platform | meta_os_type | meta_os_version | meta_public_ip | meta_query_pack_version | meta_username | calendar_time | counter | epoch | host_identifier | osquery_action | unix_time | customer_id | endpoint_id | upload_size | |-----------------+-------------------+---------------+-------------------------------------------------------------------------------------------------+---------------------------------------------+-------+-----------------------------+---------+-------+--------------------+------------------------------------------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------| | Victim3-EDR | 192.168.100.143 | user_accounts | Built-in account for administering the computer/domain | | 513 | C:\Windows\System32\cmd.exe | local | 500 | Administrator | S-1-5-21-1680605830-2124678498-765961272-500 | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T12:03:44Z | 0 | 1602320453 | Victim3-EDR | False | 2020-10-10T12:03:44Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 877 | | Victim3-EDR | 192.168.100.143 | user_accounts | Built-in account for guest access to the computer/domain | | 513 | C:\Windows\System32\cmd.exe | local | 501 | Guest | S-1-5-21-1680605830-2124678498-765961272-501 | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T12:03:44Z | 0 | 1602320453 | Victim3-EDR | False | 2020-10-10T12:03:44Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 871 | | Victim3-EDR | 192.168.100.143 | user_accounts | | | 513 | C:\Windows\System32\cmd.exe | local | 1004 | StandardUser | S-1-5-21-1680605830-2124678498-765961272-1004 | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T12:03:44Z | 0 | 1602320453 | Victim3-EDR | False | 2020-10-10T12:03:44Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 824 | | Victim3-EDR | 192.168.100.143 | user_accounts | | C:\Users\test | 513 | C:\Windows\System32\cmd.exe | local | 1002 | test | S-1-5-21-1680605830-2124678498-765961272-1002 | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T12:03:44Z | 0 | 1602320453 | Victim3-EDR | False | 2020-10-10T12:03:44Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 831 | | Victim3-EDR | 192.168.100.143 | user_accounts | | C:\Users\Victim1Admin | 513 | C:\Windows\System32\cmd.exe | local | 1005 | Victim1Admin | S-1-5-21-1680605830-2124678498-765961272-1005 | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T12:03:44Z | 0 | 1602320453 | Victim3-EDR | False | 2020-10-10T12:03:44Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 847 | | Victim3-EDR | 192.168.100.143 | user_accounts | | %systemroot%\system32\config\systemprofile | 18 | C:\Windows\system32\cmd.exe | special | 18 | SYSTEM | S-1-5-18 | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T12:03:44Z | 0 | 1602320453 | Victim3-EDR | False | 2020-10-10T12:03:44Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 825 | | Victim3-EDR | 192.168.100.143 | user_accounts | | C:\Windows\ServiceProfiles\LocalService | 19 | C:\Windows\system32\cmd.exe | special | 19 | LOCAL SERVICE | S-1-5-19 | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T12:03:44Z | 0 | 1602320453 | Victim3-EDR | False | 2020-10-10T12:03:44Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 829 | | Victim3-EDR | 192.168.100.143 | user_accounts | | C:\Windows\ServiceProfiles\NetworkService | 20 | C:\Windows\system32\cmd.exe | special | 20 | NETWORK SERVICE | S-1-5-20 | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T12:03:44Z | 0 | 1602320453 | Victim3-EDR | False | 2020-10-10T12:03:44Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 833 | | Victim1-EDR | 192.168.100.164 | user_accounts | Built-in account for administering the computer/domain | | 513 | C:\Windows\System32\cmd.exe | local | 500 | Administrator | S-1-5-21-1680605830-2124678498-765961272-500 | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T10:15:22Z | 0 | 1602319950 | Victim1-EDR | False | 2020-10-10T10:15:22Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 877 | | Victim1-EDR | 192.168.100.164 | user_accounts | Built-in account for guest access to the computer/domain | | 513 | C:\Windows\System32\cmd.exe | local | 501 | Guest | S-1-5-21-1680605830-2124678498-765961272-501 | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T10:15:22Z | 0 | 1602319950 | Victim1-EDR | False | 2020-10-10T10:15:22Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 871 | | Victim1-EDR | 192.168.100.164 | user_accounts | | | 513 | C:\Windows\System32\cmd.exe | local | 1004 | StandardUser | S-1-5-21-1680605830-2124678498-765961272-1004 | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T10:15:22Z | 0 | 1602319950 | Victim1-EDR | False | 2020-10-10T10:15:22Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 824 | | Victim1-EDR | 192.168.100.164 | user_accounts | | C:\Users\test | 513 | C:\Windows\System32\cmd.exe | local | 1002 | test | S-1-5-21-1680605830-2124678498-765961272-1002 | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T10:15:22Z | 0 | 1602319950 | Victim1-EDR | False | 2020-10-10T10:15:22Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 831 | | Victim1-EDR | 192.168.100.164 | user_accounts | | C:\Users\Victim1Admin | 513 | C:\Windows\System32\cmd.exe | local | 1005 | Victim1Admin | S-1-5-21-1680605830-2124678498-765961272-1005 | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T10:15:22Z | 0 | 1602319950 | Victim1-EDR | False | 2020-10-10T10:15:22Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 847 |
