Awesome
Set-AuditRule
A repository of useful access control entries (ACE) that could be added to the system access control list (SACL) of a securable object's security descriptor to monitor potential adversarial activity. These entries are categorized by specific securable objects such as files, registry keys and Active Directory objects. In addition, this project comes with a PowerShell script that will help you to set the audit rules in a programmatic way at scale. The script also leverages PowerShell dynamic parameters to provide auto-complete capabilities and provide the values needed for each flag directly from the access control and directory service classes.
Goals
- Document useful audit rules to monitor and detect potential adversaries accessing specific securable objects
- Expedite development and deployment of audit rules in network environments
- Test audit rules volume and share findings with the community
- Map audit rules to adversarial tooling
- Learn about System Access Control Lists (SACL)
- Learn about PowerShell Dynamic Parameters
- Learn about Microsoft Security Access Control classes
References
- Access Control Namespace
- Registry Access Control Rights
- Files Access Control Rights
- Well Known Sid Types
- Security Descriptor
Authors
- Roberto Rodriguez @Cyb3rWard0g
Contributing
If you have an audit rule that you believe is useful in your environment to monitor and detect potential adversarial activity and would like to share it with the community, feel free to open a PR!