-
-
Save p0w3rsh3ll/ea890eae2697fe48f9116a77b7f494f1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#region Audit Policy | |
$AuditPolicy = @( | |
@{ | |
Name = 'Security System Extension' | |
GUID = '{0CCE9211-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'System Integrity' | |
GUID = '{0CCE9212-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success and Failure' | |
}, | |
@{ | |
Name = 'IPsec Driver' | |
GUID = '{0CCE9213-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Other System Events' | |
GUID = '{0CCE9214-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success and Failure' | |
}, | |
@{ | |
Name = 'Security State Change' | |
GUID = '{0CCE9210-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'Logon' | |
GUID = '{0CCE9215-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success and Failure' | |
}, | |
@{ | |
Name = 'Logoff' | |
GUID = '{0CCE9216-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'Account Lockout' | |
GUID = '{0CCE9217-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'IPsec Main Mode' | |
GUID = '{0CCE9218-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'IPsec Quick Mode' | |
GUID = '{0CCE9219-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'IPsec Extended Mode' | |
GUID = '{0CCE921A-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Special Logon' | |
GUID = '{0CCE921B-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'Other Logon/Logoff Events' | |
GUID = '{0CCE921C-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Network Policy Server' | |
GUID = '{0CCE9243-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success and Failure' | |
}, | |
@{ | |
Name = 'User / Device Claims' | |
GUID = '{0CCE9247-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'File System' | |
GUID = '{0CCE921D-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Registry' | |
GUID = '{0CCE921E-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Kernel Object' | |
GUID = '{0CCE921F-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'SAM' | |
GUID = '{0CCE9220-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Certification Services' | |
GUID = '{0CCE9221-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Application Generated' | |
GUID = '{0CCE9222-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Handle Manipulation' | |
GUID = '{0CCE9223-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'File Share' | |
GUID = '{0CCE9224-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Filtering Platform Packet Drop' | |
GUID = '{0CCE9225-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Filtering Platform Connection' | |
GUID = '{0CCE9226-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Other Object Access Events' | |
GUID = '{0CCE9227-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Detailed File Share' | |
GUID = '{0CCE9244-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Removable Storage' | |
GUID = '{0CCE9245-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Central Policy Staging' | |
GUID = '{0CCE9246-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Non Sensitive Privilege Use' | |
GUID = '{0CCE9229-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Other Privilege Use Events' | |
GUID = '{0CCE922A-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Sensitive Privilege Use' | |
GUID = '{0CCE9228-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Process Creation' | |
GUID = '{0CCE922B-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Process Termination' | |
GUID = '{0CCE922C-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'DPAPI Activity' | |
GUID = '{0CCE922D-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'RPC Events' | |
GUID = '{0CCE922E-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Authentication Policy Change' | |
GUID = '{0CCE9230-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'Authorization Policy Change' | |
GUID = '{0CCE9231-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'MPSSVC Rule-Level Policy Change' | |
GUID = '{0CCE9232-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Filtering Platform Policy Change' | |
GUID = '{0CCE9233-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Other Policy Change Events' | |
GUID = '{0CCE9234-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Audit Policy Change' | |
GUID = '{0CCE922F-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'User Account Management' | |
GUID = '{0CCE9235-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'Computer Account Management' | |
GUID = '{0CCE9236-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'Security Group Management' | |
GUID = '{0CCE9237-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'Distribution Group Management' | |
GUID = '{0CCE9238-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Application Group Management' | |
GUID = '{0CCE9239-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Other Account Management Events' | |
GUID = '{0CCE923A-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Directory Service Changes' | |
GUID = '{0CCE923C-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Directory Service Replication' | |
GUID = '{0CCE923D-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Detailed Directory Service Replication' | |
GUID = '{0CCE923E-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Directory Service Access' | |
GUID = '{0CCE923B-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'Kerberos Service Ticket Operations' | |
GUID = '{0CCE9240-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'Other Account Logon Events' | |
GUID = '{0CCE9241-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'No Auditing' | |
}, | |
@{ | |
Name = 'Kerberos Authentication Service' | |
GUID = '{0CCE9242-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
}, | |
@{ | |
Name = 'Credential Validation' | |
GUID = '{0CCE923F-69AE-11D9-BED3-505054503030}' | |
Inclusion = 'Success' | |
} | |
) | |
#endregion |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment