Hi,
Is there any osquery to get all the domain-joined machines where the "Domain Users" group is added to the "Remote Desktop Users" local group?
Added tags
[edited by: GlennSen at 11:47 AM (GMT -7) on 3 Sep 2024]
Hi,
Is there any osquery to get all the domain-joined machines where the "Domain Users" group is added to the "Remote Desktop Users" local group?
Adding to the cross reference mentioned in my previous message.
Actually, we can combine both authentication data and cross-referencing event logs to get a more comprehensive output, you can create a query that leverages the event logs to find the group membership changes and then uses the authentication activity to identify when "Domain Users" actually logged in using Remote Desktop Services.
WITH GroupMembershipEvents AS (
SELECT
wl.hostname,
wl.time AS event_time,
wl.data AS event_data
FROM
win_event_log wl
WHERE
wl.data LIKE '%Remote Desktop Users%'
AND wl.data LIKE '%Domain Users%'
AND wl.eventid IN (4728, 4732, 4733, 4729)
),
AuthenticationEvents AS (
SELECT
aa.hostname,
aa.target_username,
aa.target_domain,
aa.logon_process,
aa.time AS auth_time
FROM
authentication_activity aa
WHERE
aa.logon_process = 'Remote Desktop Services'
AND aa.target_username = 'Domain Users'
AND aa.category = 'authentication_activity'
)
SELECT
gm.hostname,
gm.event_time AS group_event_time,
ae.auth_time AS login_time,
gm.event_data AS group_membership_event,
ae.target_username,
ae.target_domain,
ae.logon_process
FROM
GroupMembershipEvents gm
JOIN
AuthenticationEvents ae ON gm.hostname = ae.hostname
WHERE
ae.auth_time >= gm.event_time
ORDER BY
gm.event_time DESC, ae.auth_time DESC;
And again, you might need to refine this based on actual event data available in Central Data Lake. For instance, if you want all the domain users, consider using the wildcard character "%" in Sophos Central when creating this query.
Ismail Jaweed Ahmed (Ismail)
Senior Professional Service Engineer
Adding to the cross reference mentioned in my previous message.
Actually, we can combine both authentication data and cross-referencing event logs to get a more comprehensive output, you can create a query that leverages the event logs to find the group membership changes and then uses the authentication activity to identify when "Domain Users" actually logged in using Remote Desktop Services.
WITH GroupMembershipEvents AS (
SELECT
wl.hostname,
wl.time AS event_time,
wl.data AS event_data
FROM
win_event_log wl
WHERE
wl.data LIKE '%Remote Desktop Users%'
AND wl.data LIKE '%Domain Users%'
AND wl.eventid IN (4728, 4732, 4733, 4729)
),
AuthenticationEvents AS (
SELECT
aa.hostname,
aa.target_username,
aa.target_domain,
aa.logon_process,
aa.time AS auth_time
FROM
authentication_activity aa
WHERE
aa.logon_process = 'Remote Desktop Services'
AND aa.target_username = 'Domain Users'
AND aa.category = 'authentication_activity'
)
SELECT
gm.hostname,
gm.event_time AS group_event_time,
ae.auth_time AS login_time,
gm.event_data AS group_membership_event,
ae.target_username,
ae.target_domain,
ae.logon_process
FROM
GroupMembershipEvents gm
JOIN
AuthenticationEvents ae ON gm.hostname = ae.hostname
WHERE
ae.auth_time >= gm.event_time
ORDER BY
gm.event_time DESC, ae.auth_time DESC;
And again, you might need to refine this based on actual event data available in Central Data Lake. For instance, if you want all the domain users, consider using the wildcard character "%" in Sophos Central when creating this query.
Ismail Jaweed Ahmed (Ismail)
Senior Professional Service Engineer