Set-AuditRule: Useful access control entries on SACL of securable objects
Set-AuditRule
A repository of useful access control entries (ACE) on the system access control list (SACL) of securable objects to find potential adversarial activity. These entries are categorized by specific securable objects such as files, registry keys, and ad objects. In addition, this project comes with a PowerShell script that will help you to set the audit rules in a programmatic way at scale. The script also leverages PowerShell dynamic parameters to provide auto-complete capabilities and provide the values needed for each flag directly from the access control and directory service classes.
Goals
- Document useful audit rules to detect potential adversaries
- Expedite development and deployment of audit rules in networks
- Test audit rules volume and share findings with the community
- Map audit rules to adversarial tooling
- Learn about System Access Control Lists (SACL)
- Learn about PowerShell Dynamic Parameters
- Learn about Microsoft Security Access Control classes
Download
git clone https://github.com/OTRF/Set-AuditRule.git
Copyright (C) 2019 Roberto Rodriguez @Cyb3rWard0g
Source: https://github.com/OTRF/