AnsweredAssumed Answered

Enumerating Admin

Question asked by John S on Nov 14, 2018
Latest reply on Nov 17, 2018 by DMFezzaReed

I was not entirely sure how to word this correctly.  So I will give an example, as I saw some other that did this and cannot find them now.  There were other items I had seen that enumerated contents of a QID...and were able to report back results from inside that enumeration in some way.

 

So I would start a very specific example to understand the logic around the query.

 

QID 45302 - Administrator Group Members Enumerated  Using SID
This Qualys ID as far as I know, enumerates the Administrators Group in Windows servers.

 

I ran the following:
Vulnerability Management > Asset Search >
QID = 45302
and
Last Scan Date within 45 days (data that is fairly recent)

 

I get a report that has the following columns:
IP Address / DNS Hostname / NetBIOS Hostname / OS / QID / Tracking / First Found / Last Found

 

I clicked on the IP of the first server found and get a popup of it.

I goto Vulnerabilities / Information Gathered / Administratior Group Members Enumerated (I expand it)
In the RESULTS section I get: (obfuscated of course)
   Administrators <servername>\local admin username
   Administrators <Domain>\group
   Administrators <Domain>\account

 

OK.....

 

Is there a way to run a report and PULL all the administrators listed above for each server in some way?  Pull that data out of the QID enumeration?

Outcomes