sunnyc7 · May 13, 2024 18:03
diff --git a/AuditPolicy.ps1 b/AuditPolicy.ps1

 <#
 Machine Name	Policy Target	Subcategory	Subcategory GUID	Inclusion Setting
 DESKTOP02	System	IPsec Driver	{0CCE9213-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Removable Storage	{0CCE9245-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Other Object Access Events	{0CCE9227-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Filtering Platform Connection	{0CCE9226-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Filtering Platform Packet Drop	{0CCE9225-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Certification Services	{0CCE9221-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	SAM	{0CCE9220-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Kernel Object	{0CCE921F-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Other Privilege Use Events	{0CCE922A-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Non Sensitive Privilege Use	{0CCE9229-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Sensitive Privilege Use	{0CCE9228-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	RPC Events	{0CCE922E-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Token Right Adjusted Events	{0CCE924A-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	DPAPI Activity	{0CCE922D-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Filtering Platform Policy Change	{0CCE9233-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Authorization Policy Change	{0CCE9231-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	MPSSVC Rule-Level Policy Change	{0CCE9232-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Kerberos Service Ticket Operations	{0CCE9240-69AE-11D9-BED3-505054503030}	No Auditing
 DESKTOP02	System	Credential Validation	{0CCE923F-69AE-11D9-BED3-505054503030}	No Auditing
 #>

 # Admin
 $currentPrincipalIsLocalAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")

 Function Backup-AuditPolFile {
    param(
        $apolCSV = "$($env:TEMP)\$($env:COMPUTERNAME)_auditpolicy_BACKUP_$(Get-Date -format "yyy_MM_ss").csv"    
    )
    process {
    # AuditPol backup
        if (Test-Path -Path $apolCSV) {
            Remove-Item -Path $apolCSV -Force
            auditpol /backup /file:$apolCSV
        }
        else {
            auditpol /backup /file:$apolCSV
        }
        
        #Read AuditPol 
        Invoke-Item -Path $apolCSV
    }
 }

 Function Get-AuditPolEvents {
    param (
        [switch]$wfp
    )
    begin {
 $xml = @"
 <QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[( (EventID &gt;= 5100 and EventID &lt;= 5200) )]]</Select>
  </Query>
 </QueryList>
 "@
    }    
    
    process {
        if ($wfp) {
            $ev = Get-WinEvent -FilterXml $xml
            $ev
        }
    }
 }
 # Set AuditPolicy

 $apolGUID = @"
 {0CCE9213-69AE-11D9-BED3-505054503030}
 {0CCE9245-69AE-11D9-BED3-505054503030}
 {0CCE9227-69AE-11D9-BED3-505054503030}
 {0CCE9226-69AE-11D9-BED3-505054503030}
 {0CCE9225-69AE-11D9-BED3-505054503030}
 {0CCE9221-69AE-11D9-BED3-505054503030}
 {0CCE9220-69AE-11D9-BED3-505054503030}
 {0CCE921F-69AE-11D9-BED3-505054503030}
 {0CCE922A-69AE-11D9-BED3-505054503030}
 {0CCE9229-69AE-11D9-BED3-505054503030}
 {0CCE9228-69AE-11D9-BED3-505054503030}
 {0CCE922E-69AE-11D9-BED3-505054503030}
 {0CCE924A-69AE-11D9-BED3-505054503030}
 {0CCE922D-69AE-11D9-BED3-505054503030}
 {0CCE9233-69AE-11D9-BED3-505054503030}
 {0CCE9231-69AE-11D9-BED3-505054503030}
 {0CCE9232-69AE-11D9-BED3-505054503030}
 {0CCE9240-69AE-11D9-BED3-505054503030}
 {0CCE923F-69AE-11D9-BED3-505054503030}
 "@ -split "`r`n"

 if ($currentPrincipalIsLocalAdmin) {
    #Backup AuditPolicy
    Backup-AuditPolFile

    foreach ($policy in $apolGUID) {
        auditpol /set /subcategory:$policy /success:enable /failure:enable
    }

    #Check AuditPolicy
    Backup-AuditPolFile
 }

 Start-Sleep -Seconds 60

 # Check Windows Events
 Get-AuditPolEvents -wfp

	<#
	Machine Name Policy Target Subcategory Subcategory GUID Inclusion Setting
	DESKTOP02 System IPsec Driver {0CCE9213-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Removable Storage {0CCE9245-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Other Object Access Events {0CCE9227-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Filtering Platform Connection {0CCE9226-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Filtering Platform Packet Drop {0CCE9225-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Certification Services {0CCE9221-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System SAM {0CCE9220-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Kernel Object {0CCE921F-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Other Privilege Use Events {0CCE922A-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Non Sensitive Privilege Use {0CCE9229-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Sensitive Privilege Use {0CCE9228-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System RPC Events {0CCE922E-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Token Right Adjusted Events {0CCE924A-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System DPAPI Activity {0CCE922D-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Filtering Platform Policy Change {0CCE9233-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Authorization Policy Change {0CCE9231-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System MPSSVC Rule-Level Policy Change {0CCE9232-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Kerberos Service Ticket Operations {0CCE9240-69AE-11D9-BED3-505054503030} No Auditing
	DESKTOP02 System Credential Validation {0CCE923F-69AE-11D9-BED3-505054503030} No Auditing
	#>

	# Admin
	$currentPrincipalIsLocalAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")

	Function Backup-AuditPolFile {
	param(
	$apolCSV = "$($env:TEMP)\$($env:COMPUTERNAME)_auditpolicy_BACKUP_$(Get-Date -format "yyy_MM_ss").csv"
	)
	process {
	# AuditPol backup
	if (Test-Path -Path $apolCSV) {
	Remove-Item -Path $apolCSV -Force
	auditpol /backup /file:$apolCSV
	}
	else {
	auditpol /backup /file:$apolCSV
	}

	#Read AuditPol
	Invoke-Item -Path $apolCSV
	}
	}

	Function Get-AuditPolEvents {
	param (
	[switch]$wfp
	)
	begin {
	$xml = @"
	<QueryList>
	<Query Id="0" Path="Security">
	<Select Path="Security">*[System[( (EventID >= 5100 and EventID <= 5200) )]]</Select>
	</Query>
	</QueryList>
	"@
	}

	process {
	if ($wfp) {
	$ev = Get-WinEvent -FilterXml $xml
	$ev
	}
	}
	}
	# Set AuditPolicy

	$apolGUID = @"
	{0CCE9213-69AE-11D9-BED3-505054503030}
	{0CCE9245-69AE-11D9-BED3-505054503030}
	{0CCE9227-69AE-11D9-BED3-505054503030}
	{0CCE9226-69AE-11D9-BED3-505054503030}
	{0CCE9225-69AE-11D9-BED3-505054503030}
	{0CCE9221-69AE-11D9-BED3-505054503030}
	{0CCE9220-69AE-11D9-BED3-505054503030}
	{0CCE921F-69AE-11D9-BED3-505054503030}
	{0CCE922A-69AE-11D9-BED3-505054503030}
	{0CCE9229-69AE-11D9-BED3-505054503030}
	{0CCE9228-69AE-11D9-BED3-505054503030}
	{0CCE922E-69AE-11D9-BED3-505054503030}
	{0CCE924A-69AE-11D9-BED3-505054503030}
	{0CCE922D-69AE-11D9-BED3-505054503030}
	{0CCE9233-69AE-11D9-BED3-505054503030}
	{0CCE9231-69AE-11D9-BED3-505054503030}
	{0CCE9232-69AE-11D9-BED3-505054503030}
	{0CCE9240-69AE-11D9-BED3-505054503030}
	{0CCE923F-69AE-11D9-BED3-505054503030}
	"@ -split "`r`n"

	if ($currentPrincipalIsLocalAdmin) {
	#Backup AuditPolicy
	Backup-AuditPolFile

	foreach ($policy in $apolGUID) {
	auditpol /set /subcategory:$policy /success:enable /failure:enable
	}

	#Check AuditPolicy
	Backup-AuditPolFile
	}

	Start-Sleep -Seconds 60

	# Check Windows Events
	Get-AuditPolEvents -wfp