Helpers/Enumerations.ps1
|
$AuditHash = @{ "0cce9210-69ae-11d9-bed3-505054503030" = "Audit_System_SecurityStateChange"; "0cce9211-69ae-11d9-bed3-505054503030" = "Audit_System_SecuritySubsystemExtension"; "0cce9212-69ae-11d9-bed3-505054503030" = "Audit_System_Integrity"; "0cce9213-69ae-11d9-bed3-505054503030" = "Audit_System_IPSecDriverEvents"; "0cce9214-69ae-11d9-bed3-505054503030" = "Audit_System_Others"; "0cce9215-69ae-11d9-bed3-505054503030" = "Audit_Logon_Logon"; "0cce9216-69ae-11d9-bed3-505054503030" = "Audit_Logon_Logoff"; "0cce9217-69ae-11d9-bed3-505054503030" = "Audit_Logon_AccountLockout"; "0cce9218-69ae-11d9-bed3-505054503030" = "Audit_Logon_IPSecMainMode"; "0cce9219-69ae-11d9-bed3-505054503030" = "Audit_Logon_IPSecQuickMode"; "0cce921a-69ae-11d9-bed3-505054503030" = "Audit_Logon_IPSecUserMode"; "0cce921b-69ae-11d9-bed3-505054503030" = "Audit_Logon_SpecialLogon"; "0cce921c-69ae-11d9-bed3-505054503030" = "Audit_Logon_Others"; "0cce921d-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_FileSystem"; "0cce921e-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Registry"; "0cce921f-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Kernel"; "0cce9220-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Sam"; "0cce9221-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_CertificationServices"; "0cce9222-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_ApplicationGenerated"; "0cce9223-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Handle"; "0cce9224-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Share"; "0cce9225-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_FirewallPacketDrops"; "0cce9226-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_FirewallConnection"; "0cce9227-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Other"; "0cce9228-69ae-11d9-bed3-505054503030" = "Audit_PrivilegeUse_Sensitive"; "0cce9229-69ae-11d9-bed3-505054503030" = "Audit_PrivilegeUse_NonSensitive"; "0cce922a-69ae-11d9-bed3-505054503030" = "Audit_PrivilegeUse_Others"; "0cce922b-69ae-11d9-bed3-505054503030" = "Audit_DetailedTracking_ProcessCreation"; "0cce922c-69ae-11d9-bed3-505054503030" = "Audit_DetailedTracking_ProcessTermination"; "0cce922d-69ae-11d9-bed3-505054503030" = "Audit_DetailedTracking_DpapiActivity"; "0cce922e-69ae-11d9-bed3-505054503030" = "Audit_DetailedTracking_RpcCall"; "0cce922f-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_AuditPolicy"; "0cce9230-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_AuthenticationPolicy"; "0cce9231-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_AuthorizationPolicy"; "0cce9232-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_MpsscvRulePolicy"; "0cce9233-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_WfpIPSecPolicy"; "0cce9234-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_Others"; "0cce9235-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_UserAccount"; "0cce9236-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_ComputerAccount"; "0cce9237-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_SecurityGroup"; "0cce9238-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_DistributionGroup"; "0cce9239-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_ApplicationGroup"; "0cce923a-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_Others"; "0cce923b-69ae-11d9-bed3-505054503030" = "Audit_DSAccess_DSAccess"; "0cce923c-69ae-11d9-bed3-505054503030" = "Audit_DsAccess_AdAuditChanges"; "0cce923d-69ae-11d9-bed3-505054503030" = "Audit_Ds_Replication"; "0CCE9244-69AE-11D9-BED3-505054503030" = "Detailed File Share"; "0cce923e-69ae-11d9-bed3-505054503030" = "Audit_Ds_DetailedReplication"; "0cce923f-69ae-11d9-bed3-505054503030" = "Audit_AccountLogon_CredentialValidation"; "0cce9240-69ae-11d9-bed3-505054503030" = "Audit_AccountLogon_Kerberos"; "0cce9241-69ae-11d9-bed3-505054503030" = "Audit_AccountLogon_Others"; "0cce9242-69ae-11d9-bed3-505054503030" = "Audit_AccountLogon_KerbCredentialValidation"; "0cce9243-69ae-11d9-bed3-505054503030" = "Audit_Logon_NPS"; } $AuditSubCategoryHash = @{ "0CCE9211-69AE-11D9-BED3-505054503030" = "Security System Extension"; "0CCE9212-69AE-11D9-BED3-505054503030" = "System Integrity"; "0CCE9213-69AE-11D9-BED3-505054503030" = "IPsec Driver"; "0CCE9214-69AE-11D9-BED3-505054503030" = "Other System Events"; "0CCE9210-69AE-11D9-BED3-505054503030" = "Security State Change"; "0CCE9215-69AE-11D9-BED3-505054503030" = "Logon"; "0CCE9216-69AE-11D9-BED3-505054503030" = "Logoff"; "0CCE9217-69AE-11D9-BED3-505054503030" = "Account Lockout" "0CCE9218-69AE-11D9-BED3-505054503030" = "IPsec Main Mode"; "0CCE9219-69AE-11D9-BED3-505054503030" = "IPsec Quick Mode"; "0CCE921A-69AE-11D9-BED3-505054503030" = "IPsec Extended Mode"; "0CCE921B-69AE-11D9-BED3-505054503030" = "Special Logon"; "0CCE921C-69AE-11D9-BED3-505054503030" = "Other Logon/Logoff Events"; "0CCE9243-69AE-11D9-BED3-505054503030" = "Network Policy Server"; "0cce9247-69ae-11d9-bed3-505054503030" = "User / Device Claims"; "0cce9249-69ae-11d9-bed3-505054503030" = "Group Membership"; "0CCE921D-69AE-11D9-BED3-505054503030" = "File System"; "0CCE921E-69AE-11D9-BED3-505054503030" = "Registry"; "0CCE921F-69AE-11D9-BED3-505054503030" = "Kernel Object"; "0CCE9220-69AE-11D9-BED3-505054503030" = "SAM"; "0CCE9221-69AE-11D9-BED3-505054503030" = "Certification Services"; "0CCE9222-69AE-11D9-BED3-505054503030" = "Application Generated"; "0CCE9223-69AE-11D9-BED3-505054503030" = "Handle Manipulation"; "0CCE9224-69AE-11D9-BED3-505054503030" = "File Share"; "0CCE9225-69AE-11D9-BED3-505054503030" = "Filtering Platform Packet Drop"; "0CCE9226-69AE-11D9-BED3-505054503030" = "Filtering Platform Connection"; "0CCE9227-69AE-11D9-BED3-505054503030" = "Other Object Access Events"; "0CCE9244-69AE-11D9-BED3-505054503030" = "Detailed File Share"; "0CCE9245-69AE-11D9-BED3-505054503030" = "Removable Storage"; "0CCE9246-69AE-11D9-BED3-505054503030" = "Central Policy Staging"; "0CCE9229-69AE-11D9-BED3-505054503030" = "Non Sensitive Privilege Use"; "0CCE922A-69AE-11D9-BED3-505054503030" = "Other Privilege Use Events"; "0CCE9228-69AE-11D9-BED3-505054503030" = "Sensitive Privilege Use"; "0CCE922B-69AE-11D9-BED3-505054503030" = "Process Creation"; "0CCE922C-69AE-11D9-BED3-505054503030" = "Process Termination"; "0CCE922D-69AE-11D9-BED3-505054503030" = "DPAPI Activity"; "0CCE922E-69AE-11D9-BED3-505054503030" = "RPC Events"; "0cce9248-69ae-11d9-bed3-505054503030" = "Plug and Play Events"; "0CCE9230-69AE-11D9-BED3-505054503030" = "Authentication Policy Change"; "0CCE9231-69AE-11D9-BED3-505054503030" = "Authorization Policy Change"; "0CCE9232-69AE-11D9-BED3-505054503030" = "MPSSVC Rule-Level Policy Change"; "0CCE9233-69AE-11D9-BED3-505054503030" = "Filtering Platform Policy Change"; "0CCE9234-69AE-11D9-BED3-505054503030" = "Other Policy Change Events"; "0CCE922F-69AE-11D9-BED3-505054503030" = "Audit Policy Change"; "0CCE9235-69AE-11D9-BED3-505054503030" = "User Account Management"; "0CCE9236-69AE-11D9-BED3-505054503030" = "Computer Account Management"; "0CCE9237-69AE-11D9-BED3-505054503030" = "Security Group Management"; "0CCE9238-69AE-11D9-BED3-505054503030" = "Distribution Group Management"; "0CCE9239-69AE-11D9-BED3-505054503030" = "Application Group Management"; "0CCE923A-69AE-11D9-BED3-505054503030" = "Other Account Management Events"; "0CCE923C-69AE-11D9-BED3-505054503030" = "Directory Service Changes"; "0CCE923D-69AE-11D9-BED3-505054503030" = "Directory Service Replication"; "0CCE923E-69AE-11D9-BED3-505054503030" = "Detailed Directory Service Replication"; "0CCE923B-69AE-11D9-BED3-505054503030" = "Directory Service Access"; "0CCE9240-69AE-11D9-BED3-505054503030" = "Kerberos Service Ticket Operations"; "0CCE9241-69AE-11D9-BED3-505054503030" = "Other Account Logon Events"; "0CCE9242-69AE-11D9-BED3-505054503030" = "Kerberos Authentication Service"; "0CCE923F-69AE-11D9-BED3-505054503030" = "Credential Validation"; } $AuditCategoryHash = @{ "AuditSystemEvents" = @( "Security System Extension", "System Integrity", "IPsec Driver", "Other System Events", "Security State Change" ) "AuditLogonEvents" = @( "Logon", "Logoff", "Account Lockout", "IPsec Main Mode", "IPsec Quick Mode", "IPsec Extended Mode", "Special Logon", "Other Logon/Logoff Events", "Network Policy Server" ) "AuditObjectAccess" = @( "File System", "Registry", "Kernel Object", "SAM", "Certification Services", "Application Generated", "Handle Manipulation", "File Share", "Filtering Platform Packet Drop", "Filtering Platform Connection", "Other Object Access Events" ) "AuditPrivilegeUse" = @( "Sensitive Privilege Use", "Non Sensitive Privilege Use", "Other Privilege Use Events" ) "AuditProcessTracking" = @( "Process Termination", "DPAPI Activity", "RPC Events", "Process Creation" ) "AuditPolicyChange" = @( "Audit Policy Change", "Authentication Policy Change", "Authorization Policy Change", "MPSSVC Rule-Level Policy Change", "Filtering Platform Policy Change", "Other Policy Change Events" ) "AuditAccountManage" = @( "User Account Management", "Computer Account Management", "Security Group Management", "Distribution Group Management", "Application Group Management", "Other Account Management Events" ) "AuditDSAccess" = @( "Directory Service Changes", "Directory Service Replication", "Detailed Directory Service Replication", "Directory Service Access" ) "AuditAccountLogon" = @( "Kerberos Service Ticket Operations", "Other Account Logon Events", "Kerberos Authentication Service", "Credential Validation" ) } $UserRightsHash = @{ "SeTrustedCredManAccessPrivilege" = "Access_Credential_Manager_as_a_trusted_caller" "SeNetworkLogonRight" = "Access_this_computer_from_the_network" "SeTcbPrivilege" = "Act_as_part_of_the_operating_system" "SeMachineAccountPrivilege" = "Add_workstations_to_domain" "SeIncreaseQuotaPrivilege" = "Adjust_memory_quotas_for_a_process" "SeInteractiveLogonRight" = "Allow_log_on_locally" "SeRemoteInteractiveLogonRight" = "Allow_log_on_through_Remote_Desktop_Services" "SeBackupPrivilege" = "Back_up_files_and_directories" "SeChangeNotifyPrivilege" = "Bypass_traverse_checking" "SeSystemtimePrivilege" = "Change_the_system_time" "SeTimeZonePrivilege" = "Change_the_time_zone" "SeCreatePagefilePrivilege" = "Create_a_pagefile" "SeCreateTokenPrivilege" = "Create_a_token_object" "SeCreateGlobalPrivilege" = "Create_global_objects" "SeCreatePermanentPrivilege" = "Create_permanent_shared_objects" "SeCreateSymbolicLinkPrivilege" = "Create_symbolic_links" "SeDebugPrivilege" = "Debug_programs" "SeDenyNetworkLogonRight" = "Deny_access_to_this_computer_from_the_network" "SeDenyBatchLogonRight" = "Deny_log_on_as_a_batch_job" "SeDenyServiceLogonRight" = "Deny_log_on_as_a_service" "SeDenyInteractiveLogonRight" = "Deny_log_on_locally" "SeDenyRemoteInteractiveLogonRight" = "Deny_log_on_through_Remote_Desktop_Services" "SeEnableDelegationPrivilege" = "Enable_computer_and_user_accounts_to_be_trusted_for_delegation" "SeRemoteShutdownPrivilege" = "Force_shutdown_from_a_remote_system" "SeAuditPrivilege" = "Generate_security_audits" "SeImpersonatePrivilege" = "Impersonate_a_client_after_authentication" "SeIncreaseWorkingSetPrivilege" = "Increase_a_process_working_set" "SeIncreaseBasePriorityPrivilege" = "Increase_scheduling_priority" "SeLoadDriverPrivilege" = "Load_and_unload_device_drivers" "SeLockMemoryPrivilege" = "Lock_pages_in_memory" "SeBatchLogonRight" = "Log_on_as_a_batch_job" "SeServiceLogonRight" = "Log_on_as_a_service" "SeSecurityPrivilege" = "Manage_auditing_and_security_log" "SeRelabelPrivilege" = "Modify_an_object_label" "SeSystemEnvironmentPrivilege" = "Modify_firmware_environment_values" "SeManageVolumePrivilege" = "Perform_volume_maintenance_tasks" "SeProfileSingleProcessPrivilege" = "Profile_single_process" "SeSystemProfilePrivilege" = "Profile_system_performance" "SeUndockPrivilege" = "Remove_computer_from_docking_station" "SeAssignPrimaryTokenPrivilege" = "Replace_a_process_level_token" "SeRestorePrivilege" = "Restore_files_and_directories" "SeShutdownPrivilege" = "Shut_down_the_system" "SeSyncAgentPrivilege" = "Synchronize_directory_service_data" "SeTakeOwnershipPrivilege" = "Take_ownership_of_files_or_other_objects" } $SecuritySettings = "MinimumPasswordAge", "MaximumPasswordAge", "MinimumPasswordLength", "PasswordComplexity", "PasswordHistorySize", "LockoutBadCount", "ForceLogoffWhenHourExpire", "NewAdministratorName", "NewGuestName", "ClearTextPassword", "LSAAnonymousNameLookup", "EnableAdminAccount", "EnableGuestAccount", "ResetLockoutCount", "LockoutDuration", "MaxServiceAge", "MaxTicketAge", "MaxRenewAge", "MaxClockSkew", "TicketValidateClient" $SecurityOptionSettings = @{ 'ForceLogoffWhenHourExpire' = 'Network_security_Force_logoff_when_logon_hours_expire'; 'LSAAnonymousNameLookup' = 'Network_access_Allow_anonymous_SID_Name_translation'; 'EnableAdminAccount' = 'Accounts_Administrator_account_status' 'EnableGuestAccount' = 'Accounts_Guest_account_status' 'NewAdministratorName' = 'Accounts_Rename_administrator_account' 'NewGuestName' = 'Accounts_Rename_guest_account' } $AccountPolicySettings = @{ 'MaximumPasswordAge' = 'Maximum_Password_Age'; 'MinimumPasswordAge' = 'Minimum_Password_Age'; 'MinimumPasswordLength' = 'Minimum_Password_Length'; 'PasswordComplexity' = 'Password_must_meet_complexity_requirements'; 'ClearTextPassword' = 'Store_passwords_using_reversible_encryption'; 'PasswordHistorySize' = 'Enforce_password_history'; 'MaxServiceAge' = 'Maximum_lifetime_for_service_ticket'; 'MaxTicketAge' = 'Maximum_lifetime_for_user_ticket'; 'MaxRenewAge' = 'Maximum_lifetime_for_user_ticket_renewal'; 'MaxClockSkew' = 'Maximum_tolerance_for_computer_clock_synchronization'; 'TicketValidateClient' = 'Enforce_user_logon_restrictions'; 'LockoutDuration' = 'Account_lockout_duration'; 'LockoutBadCount' = 'Account_lockout_threshold'; 'ResetLockoutCount' = 'Reset_account_lockout_counter_after'; } $SecuritySettingsWEnabledDisabled = "Accounts_Administrator_account_status", "Accounts_Guest_account_status", "Enforce_user_logon_restrictions", "Password_must_meet_complexity_requirements", "Store_passwords_using_reversible_encryption" $EnabledDisabled = "Disabled", "Enabled" |