-
Notifications
You must be signed in to change notification settings - Fork 0
/
enable_audit_browser_data.ps1
45 lines (43 loc) · 1.73 KB
/
enable_audit_browser_data.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
function Set-Audit-FileSystem {
<#
.SYNOPSIS
# This is based on the 'Windows File Auditing Cheat Sheet'
# www.MalwareArchaeology.com\cheat-sheets
#
Set File or Dir Auditing for Everyone
#>
param
(
[Parameter(Mandatory = $true)]
[string]$path,
[string]$AccessSent
)
try {
if (Test-Path -LiteralPath $path) {
$ACL = new-object System.Security.AccessControl.DirectorySecurity
$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Everyone", $AccessSent, "ContainerInherit, ObjectInherit", "NoPropagateInherit", "Success")
$ACL.SetAuditRule($AccessRule)
$ACL | Set-Acl $path
Write-Output "Set-Audit-FileSystem OKAY: $path"
}
else {
Write-Output "Set-Audit-FileSystem Error: $path not found"
}
}
catch {
Write-Output "Set-Audit-FileSystem Error: $path"
}
}
$filemonRegex = '(?i).*\\Appdata\\.*(Chrome|Firefox|Edge|Opera|Coccoc|Brave).*(key4\.db|logins\.json|User Data.*\\Local State|User Data.*\\Login Data|Opera.*\\Login Data)$'#
Write-Output "Begin Browser audit setting..."#
$UsersDir = "$Env:SystemDrive\Users"#
$browserSensitiveFile = Get-ChildItem -Force -Recurse $UsersDir -ErrorAction SilentlyContinue | Where-Object {!$_.PSIsContainer } | Select-Object "FullName" | Where-Object {$_.FullName -match $filemonRegex}#
foreach ($file in $browserSensitiveFile) {
if ($file -eq "") {
continue
}
$log = "Enable audit for {0}" -f $file.FullName
Write-Output $log
Set-Audit-FileSystem $file.FullName "Read,ReadAndExecute,ReadAttributes,ReadData,ReadExtendedAttributes,ReadPermissions"
}
Write-Output "Browser audit setting Done"