Understanding A Powerful Tool called PowerShell as an Auditor | Lucideus Research

PowerShell is a charge line utility, can use to reply to numerous valuable review inquiries amid evaluators engagements. The advantages to the reviewer are no less than twofold:

  • It enables an evaluator to spare time by specifically assembling definitive data from the earth.
  • It encourages an inspector to build up a helpful industry expertise with widespread interest

Initial, a reviewer must be given access to the device on their work area. Second, evaluator must guide PowerShell toward straightforwardly inquiry Active Directory for the data reviewer need. This is proficient utilizing the set-location AD: order in the wake of propelling PowerShell. Once issued, examiners cursor should change to mirror that reviewer are executing questions against an Active Directory area controller, so it would seem that this: PS AD :\>. All the underneath summons can be matched without-GridView or Out-File to give report-based yield.

Get-ADPrincipalGroupMembership
This summon produces a total rundown of security bunches where a specific client account is a part. From a review point of view, inspector can recognize potential isolation of obligation clashes or evaluate the propriety of access in light of characterized work duties.


Get-ADGroupMember
This is the converse of the past command, and gives a rundown of user accounts that exist in a specific security get to gathering. This charge likewise can be valuable to test get to approvals for propriety.


Get-ADUser <username> -property* A slightly more complex example, the following command would provide a more detailed output for a single, specific user account. From an audit perspective, this helps determine when an account was created, if the account is enabled, when the account last logged onto the network, and if and when bad password attempts occurred. This command can be combined with other PowerShell commands using the vertical pipe symbol (|) above the enter key to generate more complex data sets. Similar commands exist for Organizational Units, Service Accounts and Groups – just swap User in the above command with these terms.


Get-Hotfix This simple and effective command provides a list of Microsoft patches applied to a specific machine or set of specified machines, which is helpful when auditing compliance with patch cycles and the overall patch management process. The command provides the specific type of installed items (whether it’s an actual hotfix, update or security update), the time the item was installed and the user account that installed the patch. Get-ADObject Using the -Filter and -Property switches with this command allows an auditor to understand when certain object classes, such as security groups, initially came into existence, among other useful information. This information can be compared to monitored groups to detect changes and determine the effectiveness of logging controls.


Other notable mentions Get-ADForest, Get-ADDomain, Get-GPResultantSetOfPolicy and Get-GPO all allow successful profiling of the current AD environment. As a result, an auditor can understand functional levels of the forest and domain, which servers are acting in flexible single master operation (FSMO) roles, which servers serve as catalog servers and much more. These commands are a useful basis for planning any Active Directory audit.

Get-GPO -All

Get-GPResultantSetOfPolicy

Get-ADDomain

Get-ADForest

Conclusion: PowerShell can be a powerful tool to help auditors perform the audits. All auditors shall invest time to get learn and get comfortable using PowerShell. So open up PowerShell and start trying things out. You might just find a new and powerful tool for your toolkit and take a giant step forward in your career.












No comments:

Powered by Blogger.