Get attributes that can’t be audited in your Active Directory

Hello,

Has you may know, you can audit Active Directory modification with Windows EventLog.
By default, all Active Directory attributes are auditable, but, if someone modify the “SearchFlags” attributes on the attributes object, that attributes can become unauditable. This can be useful for an attacker, thanks to that, he can be more discrete. You can identify if such a modification is in place on your schema with those few lines :

$dse = [adsi]“LDAP://RootDSE”
$SchemaPart=$dse.schemaNamingContext
$DisabledAuditSearcher=[ADSISearcher]"(searchFlags:1.2.840.113556.1.4.803:=256)"
$DisabledAuditSearcher.SearchRoot=[adsi]"LDAP://$SchemaPart"
$DisabledAuditSearcher.FindAll() | Select-Object -ExpandProperty Path | % {($_ -split ",")[0]} | % {($_ -split "=")[1]} | Sort-Object

Happy checking !

Leave a Reply