/Set-AuditRule

Useful access control entries (ACE) on system access control list (SACL) of securable objects to find potential adversarial activity

Primary LanguagePowerShellGNU General Public License v3.0GPL-3.0

Set-AuditRule

Open_Threat_Research Community Open Source Love svg1

A repository of useful access control entries (ACE) that could be added to the system access control list (SACL) of a securable object's security descriptor to monitor potential adversarial activity. These entries are categorized by specific securable objects such as files, registry keys and Active Directory objects. In addition, this project comes with a PowerShell script that will help you to set the audit rules in a programmatic way at scale. The script also leverages PowerShell dynamic parameters to provide auto-complete capabilities and provide the values needed for each flag directly from the access control and directory service classes.

Goals

  • Document useful audit rules to monitor and detect potential adversaries accessing specific securable objects
  • Expedite development and deployment of audit rules in network environments
  • Test audit rules volume and share findings with the community
  • Map audit rules to adversarial tooling
  • Learn about System Access Control Lists (SACL)
  • Learn about PowerShell Dynamic Parameters
  • Learn about Microsoft Security Access Control classes

References

Authors

Contributing

If you have an audit rule that you believe is useful in your environment to monitor and detect potential adversarial activity and would like to share it with the community, feel free to open a PR!

License: GPL-3.0

Set-AuditRule's GNU General Public License