otrf / set-auditrule Goto Github PK
View Code? Open in Web Editor NEWUseful access control entries (ACE) on system access control list (SACL) of securable objects to find potential adversarial activity
License: GNU General Public License v3.0
set-auditrule's People
Contributors
Stargazers
Watchers
Forkers
askyeye benhe119 jessefmoore ucbsecteam superuser5 bcp-infosec-repo mmg1 hpxpat invokethreatguy 5l1v3r1 dekoder endoleg cyb3rpandah defendingenterprises myibgit drive-slow-homie ekmixon vexs1991 mofisto toteb thenson81 pabit c1x1x00xxpentiumset-auditrule's Issues
add audit rules
I am searching all over the internet how to make multiple audit rules for a folder or to export and than import multiple audit rules for a file or folder.
With script I can make new audit rule but only 1 rule for 1 user I can't do that for 2 rules and 2 users. Old audit rule is always deleted when using script.
With exporting and importing audit rules that doesn't work.
Is there any soultion for this? Except to do that manually?
Audit rules with -AttributeGUID overwrite each other
Hello,
Thanks for your script which avoided me having to delve too deep in SDDL :)
When using the script to set audit rules for "Read Property" on two specific attributes of an AD object with the -AttributeGUID parameter, the script overwrite the first one with the second one instead of adding both.
Using $Acl.AddAuditRule($AuditRuleObject) instead of $Acl.SetAuditRule($AuditRuleObject) on line 272 correctly adds two rules, but I don't know the impact on other use cases.
Example:
I want to add an audit rule on attributes member and memberOf of AdminSDHolder (which is not possible via GUI because AdminSDHolder is of type container and this type does not have these attributes). These rules will be propagated by SDProp to e.g. Domain Admins (group) or Administrator (user).
> $AdminSDHolder = "CN=AdminSDHolder,CN=System,DC=EXAMPLE"
> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit
ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
IdentityReference : Everyone
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
...
> Set-AuditRule -AdObjectPath "ad:\$AdminSDHolder" -WellKnownSidType NetworkSid -AuditFlags Success,Failure -InheritanceFlags None -Rights ReadProperty -AttributeGUID bf967991-0de6-11d0-a285-00aa003049e2 # memberOf
> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit
ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AuditFlags : Success
IdentityReference : Everyone
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
ActiveDirectoryRights : ReadProperty
InheritanceType : None
ObjectType : bf967991-0de6-11d0-a285-00aa003049e2
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AuditFlags : Success, Failure
IdentityReference : NT AUTHORITY\NETWORK
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
...
> Set-AuditRule -AdObjectPath "ad:\$AdminSDHolder" -WellKnownSidType NetworkSid -AuditFlags Success,Failure -InheritanceFlags None -Rights ReadProperty -AttributeGUID bf9679c0-0de6-11d0-a285-00aa003049e2 # member
# At this stage, I would expect to have a rule for bf967991-0de6-11d0-a285-00aa003049e2 and one for bf9679c0-0de6-11d0-a285-00aa003049e2
# but only the rule for bf9679c0-0de6-11d0-a285-00aa003049e2 exists
> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit
ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AuditFlags : Success
IdentityReference : Everyone
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
ActiveDirectoryRights : ReadProperty
InheritanceType : None
ObjectType : bf9679c0-0de6-11d0-a285-00aa003049e2
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AuditFlags : Success, Failure
IdentityReference : NT AUTHORITY\NETWORK
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
...Instead, when adding the rules with $Acl.AddAuditRule($AuditRuleObject) :
$AdminSDHolder = "CN=AdminSDHolder,CN=System,DC=EXAMPLE"
$Acl = Get-Acl "ad:\$AdminSDHolder" -Audit
$IdentityReference = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]"NetworkSid", $null)
$Rights = "ReadProperty"
$AuditFlags = "Success","Failure"
$InheritanceFlags = "None"
$AttributeGUID = "bf9679c0-0de6-11d0-a285-00aa003049e2" # member
$AuditRuleObject = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($IdentityReference,$Rights,$AuditFlags,[guid]$AttributeGUID, $InheritanceFlags,[guid]'00000000-0000-0000-0000-000000000000')
$Acl.AddAuditRule($AuditRuleObject)
$AttributeGUID = "bf967991-0de6-11d0-a285-00aa003049e2" # memberOf
$AuditRuleObject = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($IdentityReference,$Rights,$AuditFlags,[guid]$AttributeGUID, $InheritanceFlags,[guid]'00000000-0000-0000-0000-000000000000')
$Acl.AddAuditRule($AuditRuleObject)
Set-Acl "ad:\$AdminSDHolder" $Acl
# Now both rules exist:
> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit
ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AuditFlags : Success
IdentityReference : Everyone
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
ActiveDirectoryRights : ReadProperty
InheritanceType : None
ObjectType : bf9679c0-0de6-11d0-a285-00aa003049e2
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AuditFlags : Success, Failure
IdentityReference : NT AUTHORITY\NETWORK
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
ActiveDirectoryRights : ReadProperty
InheritanceType : None
ObjectType : bf967991-0de6-11d0-a285-00aa003049e2
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AuditFlags : Success, Failure
IdentityReference : NT AUTHORITY\NETWORK
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
...
``Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.