Built off the open source project Osquery
Description: Retrieves a list of local administrator accounts.
What The Data Shows: Finds local accounts that are in the administrator group.
SELECT username, groupname, type, u.UID, g.GID, Description, comment
FROM users u
JOIN user_groups ug ON ug.UID = u.UID
JOIN groups g ON g.GID = ug.GID
WHERE g.GROUPNAME = "Administrators"
AND u.type = "local";
Yes GID 555.
In the 2nd query I left out "local" statement to see if I could get all users to try and pick up any AD accounts. Is that possible?
@wmorse please email me at email@example.com so we can set up a time to review as I think it may be easier to troubleshoot
I tried it and it works great, Thank you!!
I am not a coder so seeking help, is it possible to modify it to try few common passwords on the identified admin account or even all account?
Is it possible with other CB product?
Also it would be very helpful if you can direct me towards online resource which explains difference between all CB products/components/solutions.
@techlab I am sorry, but no CB products are capable of testing passwords.
For the details on the rest of the Carbon Black offerings, you can check out the Product Path tab on this page: https://carbonblack.vmware.com/