Enable All Audit Events Function

spyr0-sec · Jul 11, 2024 · 269cdba · 269cdba
1 parent eb5b885
commit 269cdba
Show file tree

Hide file tree

Showing 8 changed files with 105 additions and 0 deletions.
diff --git a/...dBadLab/AD_Attack_Vectors/AuditSettings/{484E617A-7902-4BAE-96B5-6D9F5EB54108}/Backup.xml b/...dBadLab/AD_Attack_Vectors/AuditSettings/{484E617A-7902-4BAE-96B5-6D9F5EB54108}/Backup.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-4146365758-2393806926-40953608-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[test]]></NetBIOSDomainName><DnsDomainName><![CDATA[test.lab]]></DnsDomainName><UPN><![CDATA[Enterprise [email protected]]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-4146365758-2393806926-40953608-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[test]]></NetBIOSDomainName><DnsDomainName><![CDATA[test.lab]]></DnsDomainName><UPN><![CDATA[Domain [email protected]]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{9C8DC447-E33C-4197-97A4-6DE3333C3539}]]></ID><Domain><![CDATA[test.lab]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 3e 85 24 f7 4e 98 ae 8e 08 e7 70 02 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 3e 85 24 f7 4e 98 ae 8e 08 e7 70 02 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 3e 85 24 f7 4e 98 ae 8e 08 e7 70 02 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Domain Controllers Audit Policy]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[65537]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+
+
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\DC01.test.lab\sysvol\test.lab\Policies\{9C8DC447-E33C-4197-97A4-6DE3333C3539}\Adm\*.*"/>
+        </GroupPolicyExtension>
+
+
+
+
+
+
+
+
+
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_FSPATH%\GPO.cmt" bkp:SourceExpandedPath="\\DC01.test.lab\sysvol\test.lab\Policies\{9C8DC447-E33C-4197-97A4-6DE3333C3539}\GPO.cmt" bkp:Location="DomainSysvol\GPO\GPO.cmt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Microsoft" bkp:SourceExpandedPath="\\DC01.test.lab\sysvol\test.lab\Policies\{9C8DC447-E33C-4197-97A4-6DE3333C3539}\Machine\Microsoft" bkp:Location="DomainSysvol\GPO\Machine\Microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Microsoft\Windows NT" bkp:SourceExpandedPath="\\DC01.test.lab\sysvol\test.lab\Policies\{9C8DC447-E33C-4197-97A4-6DE3333C3539}\Machine\Microsoft\Windows NT" bkp:Location="DomainSysvol\GPO\Machine\Microsoft\Windows NT"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Microsoft\Windows NT\Audit" bkp:SourceExpandedPath="\\DC01.test.lab\sysvol\test.lab\Policies\{9C8DC447-E33C-4197-97A4-6DE3333C3539}\Machine\Microsoft\Windows NT\Audit" bkp:Location="DomainSysvol\GPO\Machine\Microsoft\Windows NT\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Microsoft\Windows NT\Audit\audit.csv" bkp:SourceExpandedPath="\\DC01.test.lab\sysvol\test.lab\Policies\{9C8DC447-E33C-4197-97A4-6DE3333C3539}\Machine\Microsoft\Windows NT\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\Microsoft\Windows NT\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Microsoft\Windows NT\SecEdit" bkp:SourceExpandedPath="\\DC01.test.lab\sysvol\test.lab\Policies\{9C8DC447-E33C-4197-97A4-6DE3333C3539}\Machine\Microsoft\Windows NT\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\Microsoft\Windows NT\SecEdit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Microsoft\Windows NT\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\DC01.test.lab\sysvol\test.lab\Policies\{9C8DC447-E33C-4197-97A4-6DE3333C3539}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf" bkp:Location="DomainSysvol\GPO\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\DC01.test.lab\sysvol\test.lab\Policies\{9C8DC447-E33C-4197-97A4-6DE3333C3539}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\DC01.test.lab\sysvol\test.lab\Policies\{9C8DC447-E33C-4197-97A4-6DE3333C3539}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\DC01.test.lab\sysvol\test.lab\Policies\{9C8DC447-E33C-4197-97A4-6DE3333C3539}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>
diff --git a/...ack_Vectors/AuditSettings/{484E617A-7902-4BAE-96B5-6D9F5EB54108}/DomainSysvol/GPO/GPO.cmt b/...ack_Vectors/AuditSettings/{484E617A-7902-4BAE-96B5-6D9F5EB54108}/DomainSysvol/GPO/GPO.cmt
diff --git a/...902-4BAE-96B5-6D9F5EB54108}/DomainSysvol/GPO/Machine/Microsoft/Windows NT/Audit/audit.csv b/...902-4BAE-96B5-6D9F5EB54108}/DomainSysvol/GPO/Machine/Microsoft/Windows NT/Audit/audit.csv
@@ -0,0 +1,60 @@
+Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
+,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Kerberos Authentication Service,{0cce9242-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Kerberos Service Ticket Operations,{0cce9240-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Account Logon Events,{0cce9241-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Application Group Management,{0cce9239-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Distribution Group Management,{0cce9238-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit DPAPI Activity,{0cce922d-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Process Termination,{0cce922c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit RPC Events,{0cce922e-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Token Right Adjusted,{0cce924a-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Detailed Directory Service Replication,{0cce923e-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Directory Service Access,{0cce923b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Directory Service Changes,{0cce923c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Directory Service Replication,{0cce923d-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit User / Device Claims,{0cce9247-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit IPsec Extended Mode,{0cce921a-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit IPsec Main Mode,{0cce9218-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit IPsec Quick Mode,{0cce9219-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Network Policy Server,{0cce9243-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Application Generated,{0cce9222-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Certification Services,{0cce9221-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Filtering Platform Packet Drop,{0cce9225-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Handle Manipulation,{0cce9223-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Kernel Object,{0cce921f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Registry,{0cce921e-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit SAM,{0cce9220-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Central Access Policy Staging,{0cce9246-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Authorization Policy Change,{0cce9231-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Filtering Platform Policy Change,{0cce9233-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Non Sensitive Privilege Use,{0cce9229-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Privilege Use Events,{0cce922a-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
diff --git a/...4BAE-96B5-6D9F5EB54108}/DomainSysvol/GPO/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf b/...4BAE-96B5-6D9F5EB54108}/DomainSysvol/GPO/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
diff --git a/...adLab/AD_Attack_Vectors/AuditSettings/{484E617A-7902-4BAE-96B5-6D9F5EB54108}/bkupInfo.xml b/...adLab/AD_Attack_Vectors/AuditSettings/{484E617A-7902-4BAE-96B5-6D9F5EB54108}/bkupInfo.xml
@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{9C8DC447-E33C-4197-97A4-6DE3333C3539}]]></GPOGuid><GPODomain><![CDATA[cygna.lab]]></GPODomain><GPODomainGuid><![CDATA[{00fe106f-2595-4e62-8560-778923b24e77}]]></GPODomainGuid><GPODomainController><![CDATA[CDC01.cygna.lab]]></GPODomainController><BackupTime><![CDATA[2024-07-10T14:55:13]]></BackupTime><ID><![CDATA[{484E617A-7902-4BAE-96B5-6D9F5EB54108}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Audit Policy]]></GPODisplayName></BackupInst>
diff --git a/...adLab/AD_Attack_Vectors/AuditSettings/{484E617A-7902-4BAE-96B5-6D9F5EB54108}/gpreport.xml b/...adLab/AD_Attack_Vectors/AuditSettings/{484E617A-7902-4BAE-96B5-6D9F5EB54108}/gpreport.xml
diff --git a/CustomRoles/AutomatedBadLab/AD_Attack_Vectors/Enable-AllAuditingEvents.ps1 b/CustomRoles/AutomatedBadLab/AD_Attack_Vectors/Enable-AllAuditingEvents.ps1
@@ -0,0 +1,21 @@
+Function Enable-AllDCAuditingEvents {
+
+    Write-Log -Message "Enabling all Audit Event Types"
+
+    # Create a new GPO
+    $AuditGPOName = "Domain Controllers Audit Policy"
+    $GPODescription = "GPO generated by AutomatedBadLab"
+
+    New-GPO -Name $AuditGPOName -Comment $GPODescription
+
+    # Link the GPO to the 'Domain Controllers' OU
+    $DCContainer = (Get-ADDomain).DomainControllersContainer
+    New-GPLink -Name $AuditGPOName -Target $DCContainer -LinkEnabled Yes -Enforced Yes
+
+    # Import the GPO
+    $AuditGPOPath = "$PSScriptRoot\AuditSettings"
+    Import-GPO -BackupGpoName $AuditGPOName -TargetName $AuditGPOName -Path $AuditGPOPath
+
+    # Force an immediate group policy update to apply
+    Invoke-GPUpdate -RandomDelayInMinutes 0 
+}
diff --git a/CustomRoles/AutomatedBadLab/AutomatedBadLab.ps1 b/CustomRoles/AutomatedBadLab/AutomatedBadLab.ps1
@@ -143,3 +143,8 @@ Disable-SMBSigning
 
 # ATTACK - Enable SMB Reflection
 Enable-Reflection
+
+# DEFEND ----------------------------------------------------------------------
+
+# Enable all Auditing types on the DC
+Enable-AllDCAuditingEvents
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{9C8DC447-E33C-4197-97A4-6DE3333C3539}]]></GPOGuid><GPODomain><![CDATA[cygna.lab]]></GPODomain><GPODomainGuid><![CDATA[{00fe106f-2595-4e62-8560-778923b24e77}]]></GPODomainGuid><GPODomainController><![CDATA[CDC01.cygna.lab]]></GPODomainController><BackupTime><![CDATA[2024-07-10T14:55:13]]></BackupTime><ID><![CDATA[{484E617A-7902-4BAE-96B5-6D9F5EB54108}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Audit Policy]]></GPODisplayName></BackupInst>