functions/Get-GroupPolicyFromMitreTechniques.ps1
|
function Get-GroupPolicyFromMitreTechniques { <# .SYNOPSIS Creates a group policy out of the selected events. .DESCRIPTION Creates a group policy out of the selected events which are mapped to the MITRE ATT&CK Techniques. .PARAMETER Identity Prompts you for the Identity that should be used to generate an Group Policy from. You can either use a baseline name or one or multiple Mitre Technique IDs. .PARAMETER Path Lets you specify the destination output path: where should the GPO be stored? .EXAMPLE Get-GroupPolicyFromMitreTechniques Creates a group policy out of the selected events. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', '')] [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")] [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseOutputTypeCorrectly", "")] [CmdletBinding()] param ( [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [Alias('BaselineName', 'TechniqueId')] [string]$Identity, [string]$Path ) process { if ($Path) { $destFolder = $Path } else { if ($Script:openFromGui) { $destFolder = Start-FilePicker -description "Select a directory where the GPO should be saved" } else { write-host "Provide the path where the GPO should be saved: Get-GroupPolicyFromMitreTechniques -Path 'C:\tmp' -Identity 'T1039'" } } if ($destFolder) { $GpoTmpl = "$ModuleRoot\internal\data\GPO\*" if ($Script:openFromGui) { $MitreTechniques = Get-CheckedMitreTechniques } else { if ($identity) { if (Get-BaselineNameFromDB -BaselineName $Identity) { $MitreTechniques = Get-MitreTechniquesFromBaseline -BaselineName $Identity } elseif ($Identity -match "^T\d{4}$") { $MitreTechniques = $("'" + $Identity + "'") } elseif ( ($Identity -match "^['T\d{4}$]") -or ($Identity -match "^T\d{4}$") ) { $MitreTechniques = $Identity } } } $tmp = Get-MitreEvents -MitreTechniques $MitreTechniques -advancedAudit if ($tmp) { $auditCsvString = "Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value" foreach ($item in $tmp) { $subcategory_name = $item | Select-Object -ExpandProperty subcategory_name $guid = $item | Select-Object -ExpandProperty guid $sf_sum = $item | Select-Object -ExpandProperty sf_sum switch ($sf_sum) { # if success_failure_id >= 3 it's always s+f / 1 = s / 2 = f 0 { "" } 1 { $sf_string = "Success" $sf_number = $sf_sum } 2 { $sf_string = "Failure" $sf_number = $sf_sum } default { $sf_string = "Success and Failure" $sf_number = 3 } } $auditCsvString = $auditCsvString + "`r`n,System,$subcategory_name,$guid,$sf_string,,$sf_number" } $GPOFolder = $("{$(New-Guid)}").ToUpper() New-Item -ItemType directory -Path "$destFolder\$GPOFolder" Copy-Item "$GpoTmpl" -Destination "$destFolder\$GPOFolder" -Recurse New-Item -ItemType directory -Path "$destFolder\$GPOFolder\Machine\Microsoft\Windows NT\Audit\" New-Item -ItemType directory -Path "$destFolder\$GPOFolder\Machine\Scripts\Shutdown\" New-Item -ItemType directory -Path "$destFolder\$GPOFolder\Machine\Scripts\Startup\" New-Item -ItemType directory -Path "$destFolder\$GPOFolder\User\" Set-Content -Path "$destFolder\$GPOFolder\Machine\Microsoft\Windows NT\Audit\audit.csv" -Value $auditCsvString } } } } |