Browse Live Discover and Response Queries by Category
Under Review

NOTE: There are multiple recommendations covered within this posts comment section to help identify local admins. Please be sure you are using the right query shared for your goal.

EDR Query to find all local admins (Windows)

I am searching for a way to query the local Administrators security group on every device in our environment. This seems like something Live Discover is capable of doing, but I haven't been able to figure out the OSQuery syntax to get it done. Right now I'm left with doing it via SCCM and Powershell, but this is a little unreliable for us. Any chance of seeing a prebuilt query within Live Discover for this? Or can anyone lend me a hand figuring out the query?

EDIT:

I accidentally omitted an important piece. I've been researching on this for the past few days and forgot what the real hangup is.

We want to query both local users and domain users. Basically, we want to see any and all accounts that are added to the local admin group on any machine. So if MYDOMAIN\Jensenj is in the group on one of our computers, we want to know. We'd like to run this periodically to ensure that we don't have any accounts that we don't know about out there in the wild, as sometimes we have staff with admin creds that may add an account to that group (We're working on the root cause there:)

Jacob Jensen2
Parents Comment
  • in reply to JeramyKopacko

    Interesting. I am not seeing the same result where it pulls in roaming at all with your mention of adding "OR u.type = "roaming""

    The JOIN on UG.UID = U.UID misses the domain account as the user_groups table doesn't include the UID for the roaming account. At least in my data set.

    Guess I need to look at reversing the logic for domain accounts or something

Children
No Data
Unfiltered HTML