Thread Info
  • State Suggested Answer
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 5106 views
  • Users 0 members are here
Options
Suggested

Finding where the domain users group added to the remote desktop users local group

Nandha

Hi,

Is there any osquery to get all the domain-joined machines where the "Domain Users" group is added to the "Remote Desktop Users" local group?



Added tags
[edited by: GlennSen at 11:47 AM (GMT -7) on 3 Sep 2024]
Parents
  • 0

    Hi Nandha, 

    From the available Sophos Schema, we could leverage the account_activity or authentication_activity tables, which contain relevant information about user account actions and events.

    To achieve our goal, we must focus on User Account, Authentication Events and cross-reference User IDs and Group. So when we look into tables like account_activity or authentication_activity track user actions and could potentially reveal group membership or authentication details related to domain users. Then we can track the relationship between users and group activities through event logs, as these might indicate when a user is added to a group like "Remote Desktop Users.

    Here is a sample code for you. I did not test this because I did not have a feasible environment to test it.

    SELECT
  aa.hostname,
  aa.target_username,
  aa.target_domain,
  aa.logon_process
FROM
  authentication_activity aa
WHERE
  aa.logon_process = 'Remote Desktop Services'
  AND aa.target_username = 'Domain Users'
  AND aa.category = 'authentication_activity';


    You might need to refine this based on actual event data available in Central Data Lake. For instance, if you want all the domain users, consider using the wildcard character "%" in Sophos Central when creating this query. Although this is not a perfect query, I believe you have something to start with. Wink

    Mark the answer if you find this helpful. 

    Thank You

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

Reply
  • 0

    Hi Nandha, 

    From the available Sophos Schema, we could leverage the account_activity or authentication_activity tables, which contain relevant information about user account actions and events.

    To achieve our goal, we must focus on User Account, Authentication Events and cross-reference User IDs and Group. So when we look into tables like account_activity or authentication_activity track user actions and could potentially reveal group membership or authentication details related to domain users. Then we can track the relationship between users and group activities through event logs, as these might indicate when a user is added to a group like "Remote Desktop Users.

    Here is a sample code for you. I did not test this because I did not have a feasible environment to test it.

    SELECT
  aa.hostname,
  aa.target_username,
  aa.target_domain,
  aa.logon_process
FROM
  authentication_activity aa
WHERE
  aa.logon_process = 'Remote Desktop Services'
  AND aa.target_username = 'Domain Users'
  AND aa.category = 'authentication_activity';


    You might need to refine this based on actual event data available in Central Data Lake. For instance, if you want all the domain users, consider using the wildcard character "%" in Sophos Central when creating this query. Although this is not a perfect query, I believe you have something to start with. Wink

    Mark the answer if you find this helpful. 

    Thank You

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

Children
No Data
Unfiltered HTML