Skip to content

Instantly share code, notes, and snippets.

@p0w3rsh3ll

p0w3rsh3ll/Pester-polaudit.ps1 Secret

Created November 29, 2016 12:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save p0w3rsh3ll/ea890eae2697fe48f9116a77b7f494f1 to your computer and use it in GitHub Desktop.
Save p0w3rsh3ll/ea890eae2697fe48f9116a77b7f494f1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Pester-polaudit.ps1
#region Audit Policy
$AuditPolicy = @(
@{
Name = 'Security System Extension'
GUID = '{0CCE9211-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'System Integrity'
GUID = '{0CCE9212-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success and Failure'
},
@{
Name = 'IPsec Driver'
GUID = '{0CCE9213-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Other System Events'
GUID = '{0CCE9214-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success and Failure'
},
@{
Name = 'Security State Change'
GUID = '{0CCE9210-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'Logon'
GUID = '{0CCE9215-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success and Failure'
},
@{
Name = 'Logoff'
GUID = '{0CCE9216-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'Account Lockout'
GUID = '{0CCE9217-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'IPsec Main Mode'
GUID = '{0CCE9218-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'IPsec Quick Mode'
GUID = '{0CCE9219-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'IPsec Extended Mode'
GUID = '{0CCE921A-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Special Logon'
GUID = '{0CCE921B-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'Other Logon/Logoff Events'
GUID = '{0CCE921C-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Network Policy Server'
GUID = '{0CCE9243-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success and Failure'
},
@{
Name = 'User / Device Claims'
GUID = '{0CCE9247-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'File System'
GUID = '{0CCE921D-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Registry'
GUID = '{0CCE921E-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Kernel Object'
GUID = '{0CCE921F-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'SAM'
GUID = '{0CCE9220-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Certification Services'
GUID = '{0CCE9221-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Application Generated'
GUID = '{0CCE9222-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Handle Manipulation'
GUID = '{0CCE9223-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'File Share'
GUID = '{0CCE9224-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Filtering Platform Packet Drop'
GUID = '{0CCE9225-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Filtering Platform Connection'
GUID = '{0CCE9226-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Other Object Access Events'
GUID = '{0CCE9227-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Detailed File Share'
GUID = '{0CCE9244-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Removable Storage'
GUID = '{0CCE9245-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Central Policy Staging'
GUID = '{0CCE9246-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Non Sensitive Privilege Use'
GUID = '{0CCE9229-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Other Privilege Use Events'
GUID = '{0CCE922A-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Sensitive Privilege Use'
GUID = '{0CCE9228-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Process Creation'
GUID = '{0CCE922B-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Process Termination'
GUID = '{0CCE922C-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'DPAPI Activity'
GUID = '{0CCE922D-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'RPC Events'
GUID = '{0CCE922E-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Authentication Policy Change'
GUID = '{0CCE9230-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'Authorization Policy Change'
GUID = '{0CCE9231-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'MPSSVC Rule-Level Policy Change'
GUID = '{0CCE9232-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Filtering Platform Policy Change'
GUID = '{0CCE9233-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Other Policy Change Events'
GUID = '{0CCE9234-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Audit Policy Change'
GUID = '{0CCE922F-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'User Account Management'
GUID = '{0CCE9235-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'Computer Account Management'
GUID = '{0CCE9236-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'Security Group Management'
GUID = '{0CCE9237-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'Distribution Group Management'
GUID = '{0CCE9238-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Application Group Management'
GUID = '{0CCE9239-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Other Account Management Events'
GUID = '{0CCE923A-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Directory Service Changes'
GUID = '{0CCE923C-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Directory Service Replication'
GUID = '{0CCE923D-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Detailed Directory Service Replication'
GUID = '{0CCE923E-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Directory Service Access'
GUID = '{0CCE923B-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'Kerberos Service Ticket Operations'
GUID = '{0CCE9240-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'Other Account Logon Events'
GUID = '{0CCE9241-69AE-11D9-BED3-505054503030}'
Inclusion = 'No Auditing'
},
@{
Name = 'Kerberos Authentication Service'
GUID = '{0CCE9242-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
},
@{
Name = 'Credential Validation'
GUID = '{0CCE923F-69AE-11D9-BED3-505054503030}'
Inclusion = 'Success'
}
)
#endregion
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment