ADQuery 2.1.0.0001
Introduction: Index
It is not unusual to want to gather information from your endpoints about their Active Directory status, and the Tanium platform is well-suited to gathering that sort of information. But care needs to be taken when implementing tooling to gather such information. What seems like a simple command or wmi query could have a greater impact thaan expected. For example, if you wanted to get AD account information from a single endpoint, making a query of the AD server would be a reasonable way to do it; getting that same info from 1,000 endpoints could result in an effective DDOS of your AD server. Since Tanium sensors are designed to run quickly to get the data back as rapidly as possible and are typically run against thousands of systems, such a direct approach as querying an AD server is not a good approach. The content contained in the Tanium Active Directory Query solution is intended to address the need for AD information from endpoints while avoiding the dangers of the “direct query” approach.
Download Location
This content is available at: https://content.tanium.com/files/published/ADQuery/2018-03-26_08-32-13_2.1.0.0001-ga35c996/ADQuery.xml
Usage
Tanium Active Directory Query gathers AD information by leveraging a combination of Tanium packages and sensors. Since a Tanium sensor is meant to execute within 60 seconds, there is no facility to allow the underlying code to run over an extended time. That same limitation does not apply to Tanium packages, which can be deployed via actions with a distribute over time setting applied. That setting introduces a random delay (value between 0 and the specified max delay value) into the action execution, effectively spreading the execution, when viewed from the perspective of all the targeted endpoints, out over that time period. So an action deployed with a 60 minute distribute over time (DOT) value would see the targeted endpoints each running that action at more or less different time, starting from the specified start time. Since a random number is used for the actual delay time on each endpoint, the distribution of the actions firing will not necessarily be even (e.g. they won’t necessarily fire exactly 5 seconds apart) but given the randomness of the algorithm, it will effectively spread them out in a reasonable manner. What this means in the context of our AD query is that we can use an action with an appropriate DOT value to query the AD server from each endpoint without running the risk of overloading the server with too many simultaneous requests (since they will be spread out over time.) That action writes the results of the AD query to xml files on the endpoints and the corresponding sensors pick up their results from those files, an operation that is fast, low cost, and has no impact on the AD server(s).
Questions
AD Query - All Windows
Get Is Windows from all machines
Returns all Windows computers. Can be used for targeting of the Collect Active Directory Info package.
AD Query - Has Stale Computer Results
Get AD Query - Has Stale Results[Computer, 4] from all machines with AD Query - Has Stale Results[Computer, 4] containing "True"
Returns computers that have AD computer data older that four hours. Can be used for targeting of the Collect Active Directory Info package.
Packages:
AD Query - Has Stale Local Administrator Results
Get AD Query - Has Stale Results[Admin, 4] from all machines with AD Query - Has Stale Results[Admin, 4] containing "True"
Returns computers that have Local Administrator data older that four hours. Can be used for targeting of the Collect Active Directory Info package.
Packages:
AD Query - Has Stale Results
Get Target from all machines with ( AD Query - Has Stale Results[Computer, 4] containing "True" or AD Query - Has Stale Results[User, 4] containing "True" or AD Query - Has Stale Results[Admin, 4] containing "True" )
Returns computers that have AD user, computer, or Local Administrator data older that four hours. Can be used for targeting of the Collect Active Directory Info package.
Packages:
AD Query - Has Stale User Results
Get AD Query - Has Stale Results[User, 4] from all machines with AD Query - Has Stale Results[User, 4] containing "True"
Returns computers that have AD user data older that four hours. Can be used for targeting of the Collect Active Directory Info package.
Packages:
Packages
Collect Active Directory Info
Queries Active Directory for three data types.
- Computer
- Pulls back all non null AD attributes
- Writes a new file each time ran
- Outputs to compAttr.xml
- Pulls back all non null AD attributes
- User
- Gets the five most recently used profiles on the local computer
- Queries AD for each user object by SID
- Pulls back all non null AD attributes
- Queries Security Event Log back 30 days for logon events to determine a primary User
- Marks a user attribute as the primary user
- Writes a new file each time ran
- Writes output to userAttr.xml
- Includes local users in user object queries
- Gets the five most recently used profiles on the local computer
- Local Group Membership
- Writes a new file each time ran
- Writes output to localGroups.xml
- Lists members of computers local groups broken out by
- Account Type (User or Group)
- Location (Domain or Local)
- Account Type (User or Group)
- Writes a new file each time ran
Should be ran with a Distribute Over Time (DOT) value in order to reduce the number of LDAP queires. Package run output is logged to a rolling logfile in the Tools\Adquery folder.
This package contains 1 files and 0 sensors.
Additional Properties:
- Command Line: cmd /c cscript //T:300 collectAdInfo.vbs "$1" "$2" "$3"
- Command Line Timeout: 300
Prompts:
| Name / Value | Prompt Help | Type | Possible / Default Values |
|---|---|---|---|
| Collect Computer Attributes | Checkbox | Disabled | |
| Collect User Attributes | Checkbox | Disabled | |
| Collect Local Group Memberships | Checkbox | Disabled |
Files:
- collectAdInfo.vbs
Sensors
AD Query - Logged In User Details
Returns details for the current logged on user.
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
Columns
Name Type Description Name Text Department Text Country Text City Text Text Phone Number Text
AD Query - Computer Groups
The distinguishedName of any Active Directory groups the computer is explicitly a member of (no nested groups). Also returns the computer's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com).
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Local Groups
Returns the names of all local groups. No group members are returned.
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Computer Group Memberships
All Active Directory group memberships the computer is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup).
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Primary User Groups
The distinguishedName of Active Directory group memberships for the computer's primary user. The groups returned are those which the user is explicitly a member of (no nested groups). Also returns the user's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com).
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Local Group Membership
Returns local groups and their members. To return all groups, specify All. Input accepts a single group name, or a comma delimited list of multiple names. Dependent on the AD Query content pack.
Columns
Name Type Description Group Text Member Text Location Text Type Text Parameters
Name Description Type Possible / Default Values Groups Group(s) Text Administrators
AD Query - Computer Has Group Membership
Returns True if the computer is a member of the Active Directory group.
Returns False if no match was found.
The group may be specified as groupname and domain\groupname syntax.
Multiple groups may be specified if separated by a comma. Ex: group,corp\group
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
Parameters
Name Description Type Possible / Default Values Groups Groups Text
AD Query - Primary User Group Memberships
All groups the primary user of the computer is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup).
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - User Group Memberships
All group memberships the specified user is a member of -both explicitly and implicitly. Nested groups are also returned. The result is returned in NT format as UserDomain\UserName|GroupDomain\GroupName.
User names may be specified as username, domain\username.
Multiple users may be specified if separated by a comma. Ex: user,.\user,corp\user
Input 'all' into the Users field to return group membership of all inventoried users.
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
Columns
Name Type Description User Text Group Text Parameters
Name Description Type Possible / Default Values Users Users Text
AD Query - Primary User Details
Returns details for the primary user based on the number of interactive logon events.
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
Columns
Name Type Description Name Text Department Text Country Text City Text Text Phone Number Text
AD Query - Primary User
Returns the computer's primary user based on the number of interactive logon events.
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Logged In User Group Memberships
All group memberships the logged in user is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup).
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - User Attributes
Returns specified attributes for the desired user.
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
Parameters
Name Description Type Possible / Default Values strUser Active Directory Username Text strAttr Active Directory Attribute Text
AD Query - Local Administrators
Returns users and groups who are a member of the local Administrators group.
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
Columns
Name Type Description Name Text Location Text Type Text
AD Query - Has Stale Results
Returns True/False value based on the time the AD Query XML files were generated and a time period the Active Directory data should be considered stale.
Parameters
Name Description Type Possible / Default Values type AD Data Type Selection Computer
User
Groups
intHours Hours Old Numeric
AD Query - User Has Group Membership
Returns True if the user is a member of the group.
Returns False if no match was found.
Input 'any' in the User field to test any inventoried user for membership.
The user may be a local account or an Active Directory account.
The user may be specified as username and domain\username syntax.
Multiple users may be specified when separated by a comma. Ex: user,.\localuser,corp\user
The group may be a local group or an Active Directory group.
The group may be specified as groupname and domain\groupname syntax.
Multiple groups may be specified if separated by a comma. Ex: group,.\group,corp\group
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
Parameters
Name Description Type Possible / Default Values Users Users Text Groups Groups Text
AD Query - Computer Attributes
Returns the value of the specified Active Directory attribute from the computer's Active Directory object.
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
Parameters
Name Description Type Possible / Default Values strAttr Active Directory Attribute Text
AD Query - Logged In User Groups
The distinguishedName of any Active Directory groups the user is explicitly a member of (no nested groups). Also returns the user's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com).
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.
Actions
Deploy Collect Active Directory Info
Deployes the Collect Active Directory Info package to the default action group with a three hour Distribute Over Time and a four hour reissue interval. Disabled by default.
Packages: