Get attributes that can’t be audited in your Active Directory

Posted on by

Hello,

Has you may know, you can audit Active Directory modification with Windows EventLog.
By default, all Active Directory attributes are auditable, but, if someone modify the “SearchFlags” attributes on the attributes object, that attributes can become unauditable. This can be useful for an attacker, thanks to that, he can be more discrete. You can identify if such a modification is in place on your schema with those few lines :

$dse = [adsi]“LDAP://RootDSE”
$SchemaPart=$dse.schemaNamingContext
$DisabledAuditSearcher=[ADSISearcher]"(searchFlags:1.2.840.113556.1.4.803:=256)"
$DisabledAuditSearcher.SearchRoot=[adsi]"LDAP://$SchemaPart"
$DisabledAuditSearcher.FindAll() | Select-Object -ExpandProperty Path | % {($_ -split ",")[0]} | % {($_ -split "=")[1]} | Sort-Object

Happy checking !

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.