/
WorkstationsScriptBlock.ps1
83 lines (65 loc) · 5.32 KB
/
WorkstationsScriptBlock.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
Param($Workstationsmtx, $WorkstationsMetaResultsFile)
$computer = $_
#Test Connection and exit if not available
If((Test-Connection -ComputerName $computer.name -Quiet) -eq $false){exit}
#Audit Metadata Section for System
#Creating object to output to .csv
$Computercsv = New-Object psobject
$Computercsv | Add-Member noteproperty "Machine Name" $computer.name
$Computercsv | Add-Member noteproperty "Operating System" $computer.OperatingSystem
$ComputerOU = $computer.DistinguishedName -creplace "^[^,]*,",""
$Computercsv | Add-Member noteproperty ComputerOU $ComputerOU
$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $computer.name)
#Determine whether Advanced Audit Policies Forced is set and add to CSV Output object
$RegKey= $Reg.OpenSubKey("SYSTEM\\CurrentControlSet\\Control\\Lsa")
$AdvancedAuditForce = $RegKey.GetValue("scenoapplylegacyauditpolicy")
If ($AdvancedAuditForce -ne 1){$AdvancedAuditForce = $false} else {$AdvancedAuditForce = $true}
$Computercsv | Add-Member noteproperty "ForceAdvancedAudit" $AdvancedAuditForce
#Determine whether CMD Line Auditing enabled for Process Creation Events and add to CSV Output object
$RegKey= $Reg.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit")
$ProcCreationCMDLine = $RegKey.GetValue("ProcessCreationIncludeCmdLine_Enabled")
If ($ProcCreationCMDLine -ne 1){$ProcCreationCMDLine = $false} else {$ProcCreationCMDLine = $true}
$Computercsv | Add-Member noteproperty "ProcessCreationCMDLineAuditing" $ProcCreationCMDLine
#Determine whether AppLocker Appx Logging is enabled either in Enforced or Audit mode
$RegKey= $Reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\Appx")
$AppxLogging = $RegKey.GetValue("EnforcementMode")
If ($AppxLogging -eq 1 -or $AppxLogging -eq 0){$AppxLogging = $true} else {$AppxLogging = $false}
$Computercsv | Add-Member noteproperty "AppxLoggingEnabled" $AppxLogging
#Determine whether AppLocker DLL Logging is enabled either in Enforced or Audit mode
$RegKey= $Reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\Dll")
$DllLogging = $RegKey.GetValue("EnforcementMode")
If ($DllLogging -eq 1 -or $DllLogging -eq 0){$DllLogging = $true} else {$DllLogging = $false}
$Computercsv | Add-Member noteproperty "DllLoggingEnabled" $DllLogging
#Determine whether AppLocker EXE Logging is enabled either in Enforced or Audit mode
$RegKey= $Reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\Exe")
$ExeLogging = $RegKey.GetValue("EnforcementMode")
If ($ExeLogging -eq 1 -or $ExeLogging -eq 0){$ExeLogging = $true} else {$ExeLogging = $false}
$Computercsv | Add-Member noteproperty "ExeLoggingEnabled" $ExeLogging
#Determine whether AppLocker MSI Logging is enabled either in Enforced or Audit mode
$RegKey= $Reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\Msi")
$MsiLogging = $RegKey.GetValue("EnforcementMode")
If ($MsiLogging -eq 1 -or $MsiLogging -eq 0){$MsiLogging = $true} else {$MsiLogging = $false}
$Computercsv | Add-Member noteproperty "MsiLoggingEnabled" $MsiLogging
#Determine whether AppLocker Script Logging is enabled either in Enforced or Audit mode
$RegKey= $Reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\Script")
$ScriptLogging = $RegKey.GetValue("EnforcementMode")
If ($ScriptLogging -eq 1 -or $ScriptLogging -eq 0){$ScriptLogging = $true} else {$ScriptLogging = $false}
$Computercsv | Add-Member noteproperty "ScriptLoggingEnabled" $ScriptLogging
#Determine whether PowerShell Script Block Logging is enabled
$RegKey= $Reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging")
$PSScriptBlockLogging = $RegKey.GetValue("EnableScriptBlockLogging")
If ($PSScriptLogging -eq 1){$PSScriptBlockLogging = $true} else {$PSScriptBlockLogging = $false}
$Computercsv | Add-Member noteproperty "PSScriptBlockLoggingEnabled" $PSScriptBlockLogging
#Determine whether PowerShell Transcription Logging is enabled
$RegKey= $Reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription")
$PSTranscriptLogging = $RegKey.GetValue("EnableTranscripting")
If ($PSTranscriptLogging -eq 1){$PSTranscriptLogging = $true} else {$PSTranscriptLogging = $false}
$Computercsv | Add-Member noteproperty "PSTranscriptLoggingEnabled" $PSTranscriptLogging
#Determine whether the Special Groups audit key has been configured with any groups
$RegKey= $Reg.OpenSubKey("System\\CurrentControlSet\\Control\\Lsa\\Audit")
$SpecialGroupsAudit = $RegKey.GetValue("SpecialGroups")
If ($SpecialGroupsAudit -ne $null){$SpecialGroupsAudit = $true} else {$SpecialGroupsAudit = $false}
$Computercsv | Add-Member noteproperty "SpecialGroupsAuditConfigured" $SpecialGroupsAudit
$Workstationsmtx.WaitOne(300000)
$Computercsv | Export-Csv $WorkstationsMetaResultsFile -Encoding ASCII -NoTypeInformation -Append
$Workstationsmtx.ReleaseMutex()