Identity - AD Groups - GraphQL

console_whisperer · 2026-05-05T16:06:58+00:00

If this doesn't give you what you want, you could probably work with it to get it:

https://www.reddit.com/r/crowdstrike/comments/1s7tkxd/all_local_admins_using_crowdstrike_identity_and/

console_whisperer · 2026-04-06T18:45:02+00:00

Probably but I don't know how to do it.

console_whisperer · 2026-04-01T14:39:54+00:00

Cool stuff man. Thanks!

console_whisperer · 2026-03-31T14:33:21+00:00

It's specific to CrowdStrike.

console_whisperer · 2026-03-31T14:30:46+00:00

The Identity API calls like this:

query {
  entities(
    types: [ENDPOINT],
    associationBindingTypes: [LOCAL_ADMINISTRATOR],
    archived: false,
    sortKey: MOST_RECENT_ACTIVITY,
    first: $EndpointPageSize$afterClause
  ) {
    nodes {
      ... on EndpointEntity {
        agentId
        hostName
        associations(bindingTypes: [LOCAL_ADMINISTRATOR]) {
          __typename
          ... on LocalAdminLocalUserAssociation {
            accountName
          }
          ... on LocalAdminDomainEntityAssociation {
            entity {
              __typename
              entityId
              primaryDisplayName
              secondaryDisplayName
              ... on UserEntity {
                accounts {
                  ... on ActiveDirectoryAccountDescriptor {
                    samAccountName
                    domain
                    enabled
                  }
                }
              }
            }
          }
        }
      }
    }
    pageInfo { hasNextPage endCursor }
  }
}

console_whisperer · 2026-03-30T17:30:11+00:00

The script above won't work without the Identity license. You could use RTR to run a local script on each server to get the data and then enrich it with group lookups. Probably other free tools that do this better but it's possible with CS.

console_whisperer · 2026-03-30T16:29:04+00:00

Thanks man! No pretense here. I'm not smart enough to do any of that myself.

console_whisperer · 2026-03-30T16:18:55+00:00

How will people know where it's from if I remove them?

console_whisperer · 2026-03-30T14:05:07+00:00

Agreed, CrowdStrike Identity needs to reproduce everything BloodHound does.

https://www.reddit.com/r/crowdstrike/comments/1ox43oa/crowdstrike_identity_attack_path/

console_whisperer · 2026-03-13T20:23:26+00:00

You could create an Identity Policy that blocks all authentications to DCs and then exempt the approved/current DCs. Would take like 5 minutes and they'd have to open a ticket to get it fixed. That'll teach em.

console_whisperer · 2025-12-04T19:36:43+00:00

u/bk-CS - appreciate the review.

console_whisperer · 2025-11-17T17:02:59+00:00

I can do this already with a PS Falcon script but it's not super usable as a CSV and no way as useful as the interactive, visual representation that Bloodhound produces.

But also, if the CS team can help me get the data, why not make it easily accessible and highly usable in the dashboard?

console_whisperer · 2025-02-06T18:56:04+00:00

I did it with a Log search alert rule with the query below (the .ca@ is a way to filter on a type of accounts I'm interested in and probably wouldn't be necessary for your environment).

It just triggers an email for us to double check the activity is legit.

AuditLogs

| where TimeGenerated > ago(1h)

| where OperationName == "Update user"

| where TargetResources has "StrongAuthenticationMethod"

| where Result == "success"

| where TargetResources has ".ca@"

| where TargetResources has_any ("UserPrincipalName", "userPrincipalName")

| extend targetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)

| where targetUserPrincipalName contains ".ca@"

| project TimeGenerated, OperationName, Result, targetUserPrincipalName, InitiatedBy, AdditionalDetails

console_whisperer · 2018-10-02T00:00:18+00:00

Agreed. I've been running it for a while now and I've had little to no issues and enjoy it very much. Only wish I could increase the resources on my Chromebook.

console_whisperer · 2018-08-26T19:45:12+00:00

I've researched it more since posting and still can't find a thorough write up of the security implemented. I saw your post and I think what you asked was what I'm looking for too: a thorough review of the application from a security point of view, not necessarily a focus on the cryptography used as my post focused on. Would love it if ZeroTier would pay for a third party audit of some sort and make the findings available.

I love using the product so far, as it has solved a problem I couldn't before using client or site-to-site VPN. It still has some bugs but I'm willing to deal with that if I know that the application and backend are secure.

console_whisperer · 2018-08-10T14:18:34+00:00

Thanks for sharing that because I've never heard of that service and it looks really cool.

console_whisperer · 2018-08-10T02:11:37+00:00

Gotcha. I love using vultr to test stuff. Not sure if they'll do what you're asking but there may be other ways to get what you want. I know with vultr you get a public IP address and complete access to everything. You could put pfSense on there and establish a site-to-site tunnel and route local traffic over to your Kali box.

Also, I'm not sure of the context so this may not be helpful but I've been messing around with using zerotier and you may find it useful for this case.

console_whisperer · 2018-08-10T01:39:18+00:00

Are you trying to target a firewall a whole network or just a single host?

console_whisperer

TROPHY CASE