Set-AuditRule: Useful access control entries on SACL of securable objects


A repository of useful access control entries (ACE) on the system access control list (SACL) of securable objects to find potential adversarial activity. These entries are categorized by specific securable objects such as files, registry keys, and ad objects. In addition, this project comes with a PowerShell script that will help you to set the audit rules in a programmatic way at scale. The script also leverages PowerShell dynamic parameters to provide auto-complete capabilities and provide the values needed for each flag directly from the access control and directory service classes.Set-AuditRule


  • Document useful audit rules to detect potential adversaries
  • Expedite development and deployment of audit rules in networks
  • Test audit rules volume and share findings with the community
  • Map audit rules to adversarial tooling
  • Learn about System Access Control Lists (SACL)
  • Learn about PowerShell Dynamic Parameters
  • Learn about Microsoft Security Access Control classes


git clone

Copyright (C) 2019 Roberto Rodriguez @Cyb3rWard0g