darkoperator · December 17, 2024 13:08
diff --git a/auditpol.ps1 b/auditpol.ps1
 # Sample scriot for enumerating Advance Auditing Policy settings locally on the host.
 # carlos_perez[at]darkoperator.com

 $IsAdmin = ([Security.Principal.WindowsPrincipal]`
 [Security.Principal.WindowsIdentity]::GetCurrent()`
 ).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
 
 $csvFiles = @()
 if ($isAdmin) {
     $csvFiles += Get-ChildItem -Path "$($env:systemroot)\security\audit" -Filter "audit.csv" -Recurse
 }
 if (Test-Path -Path "C:\Windows\System32\GroupPolicy\DataStore") {
     $csvFiles += Get-ChildItem -Path "C:\Windows\System32\GroupPolicy\DataStore" -Filter "audit.csv" -Recurse
 } 

 foreach ($csvFile in $csvFiles) {
     $csvData = Import-Csv -Path $csvFile.FullName
     foreach ($row in $csvData) {
         [PSCustomObject]@{
             AuditSetting = $row.Subcategory
             Setting = $row."Inclusion Setting"
             FilePath = $csvFile.FullName
         }
     }
 }
 $auditSettings
diff --git a/FindAdvAuditGPOs.ps1 b/FindAdvAuditGPOs.ps1
 # Sample script for enumerating all GPOs in a domain that set Advanced Auditing Settings and pulls the settings from SYSVOL
 # carlos_perez[at]darkoperator.com

 # Get domain information 
 $domain = [adsi]''
 # Convert DN to FQDN (e.g., "DC=contoso,DC=com" -> "contoso.com")
 $domainFQDN = $domain.distinguishedName[0].Split(',') | 
    Where-Object { $_ -like "DC=*" } | 
    ForEach-Object { $_.Substring(3) } | 
    Join-String -Separator '.'
 $SysVolPath = "\\$domainFQDN\SYSVOL\$domainFQDN\Policies\"

 # Setup searcher
 $searcher = [adsisearcher]"(objectClass=groupPolicyContainer)"
 $searcher.SearchRoot = [adsi]"LDAP://CN=Policies,CN=System,$($domain.distinguishedName)"

 $searcher.FindAll() | ForEach-Object {
    $gpo = $_.GetDirectoryEntry()
    $extensions = $gpo.Properties["gPCMachineExtensionNames"].Value
    
    if ($extensions -match "F3CCC681-B74C-4060-9F26-CD84525DCA2A") {
        $gpoGuid = $gpo.Name
        $csvPath = "$($SysVolPath)$($gpoGuid)\Machine\Microsoft\Windows NT\Audit\audit.csv"
        if (Test-Path $csvPath) {
            Import-Csv $csvPath | ForEach-Object {
                [PSCustomObject]@{
                    GPOName = $gpo.Properties["displayName"].Value
                    GPOGUID = $gpoGuid
                    AuditSetting = $_.Subcategory
                    Setting = $_."Inclusion Setting"
                    FilePath = $csvPath
                }
            }
        }
    }
 }
	# Sample scriot for enumerating Advance Auditing Policy settings locally on the host.
	# carlos_perez[at]darkoperator.com

	$IsAdmin = ([Security.Principal.WindowsPrincipal]`
	[Security.Principal.WindowsIdentity]::GetCurrent()`
	).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

	$csvFiles = @()
	if ($isAdmin) {
	$csvFiles += Get-ChildItem -Path "$($env:systemroot)\security\audit" -Filter "audit.csv" -Recurse
	}
	if (Test-Path -Path "C:\Windows\System32\GroupPolicy\DataStore") {
	$csvFiles += Get-ChildItem -Path "C:\Windows\System32\GroupPolicy\DataStore" -Filter "audit.csv" -Recurse
	}

	foreach ($csvFile in $csvFiles) {
	$csvData = Import-Csv -Path $csvFile.FullName
	foreach ($row in $csvData) {
	[PSCustomObject]@{
	AuditSetting = $row.Subcategory
	Setting = $row."Inclusion Setting"
	FilePath = $csvFile.FullName
	}
	}
	}
	$auditSettings
	# Sample script for enumerating all GPOs in a domain that set Advanced Auditing Settings and pulls the settings from SYSVOL
	# carlos_perez[at]darkoperator.com

	# Get domain information
	$domain = [adsi]''
	# Convert DN to FQDN (e.g., "DC=contoso,DC=com" -> "contoso.com")
	$domainFQDN = $domain.distinguishedName[0].Split(',') \|
	Where-Object { $_ -like "DC=*" } \|
	ForEach-Object { $_.Substring(3) } \|
	Join-String -Separator '.'
	$SysVolPath = "\\$domainFQDN\SYSVOL\$domainFQDN\Policies\"

	# Setup searcher
	$searcher = [adsisearcher]"(objectClass=groupPolicyContainer)"
	$searcher.SearchRoot = [adsi]"LDAP://CN=Policies,CN=System,$($domain.distinguishedName)"

	$searcher.FindAll() \| ForEach-Object {
	$gpo = $_.GetDirectoryEntry()
	$extensions = $gpo.Properties["gPCMachineExtensionNames"].Value

	if ($extensions -match "F3CCC681-B74C-4060-9F26-CD84525DCA2A") {
	$gpoGuid = $gpo.Name
	$csvPath = "$($SysVolPath)$($gpoGuid)\Machine\Microsoft\Windows NT\Audit\audit.csv"
	if (Test-Path $csvPath) {
	Import-Csv $csvPath \| ForEach-Object {
	[PSCustomObject]@{
	GPOName = $gpo.Properties["displayName"].Value
	GPOGUID = $gpoGuid
	AuditSetting = $_.Subcategory
	Setting = $_."Inclusion Setting"
	FilePath = $csvPath
	}
	}
	}
	}
	}