nathanmcnulty · April 8, 2026 05:52
diff --git a/audit-bluehammer.ps1 b/audit-bluehammer.ps1
 # =============================================
 # Audit OM Symlink Creation in \BaseNamedObjects\Restricted
 # Run as Administrator in a test VM
 # =============================================

 # 1. Set execution policy (safe for testing)
 Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force

 # 2. Install / update the module (from PowerShell Gallery)
 Install-Module NtObjectManager -Scope CurrentUser -Force -AllowClobber
 Import-Module NtObjectManager -Force

 $dirPath = "\BaseNamedObjects\Restricted"

 Write-Host "=== Current SACL on $dirPath ===" -ForegroundColor Cyan
 $currentSD = Get-NtSecurityDescriptor -Path $dirPath -SecurityInformation Sacl
 $currentSD.Sacl | Format-List

 # 3. SDDL for auditing: Success + Failure on DIRECTORY_CREATE_OBJECT (0x0004) by Everyone (WD)
 #    This catches NtCreateSymbolicLinkObject (and other object creations) in the Restricted dir
 $auditSddl = "S:(AU;SAFA;0x0004;;;WD)"

 Write-Host "`n=== Setting audit SACL... ===" -ForegroundColor Green
 Set-NtSecurityDescriptor -Path $dirPath `
                         -SecurityDescriptor $auditSddl `
                         -SecurityInformation Sacl

 Write-Host "Audit rule applied successfully!" -ForegroundColor Green

 # 4. Verify
 Write-Host "`n=== New SACL on $dirPath ===" -ForegroundColor Cyan
 $newSD = Get-NtSecurityDescriptor -Path $dirPath -SecurityInformation Sacl
 $newSD.Sacl | Format-List

 Write-Host "`n✅ Done! Now run BlueHammer (or any test that creates an OM symlink) and check the Security Event Log." -ForegroundColor Green
 Write-Host "   Look for Event ID 4656 / 4663 with Object Name containing '\BaseNamedObjects\Restricted\...'" -ForegroundColor Yellow
	# =============================================
	# Audit OM Symlink Creation in \BaseNamedObjects\Restricted
	# Run as Administrator in a test VM
	# =============================================

	# 1. Set execution policy (safe for testing)
	Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force

	# 2. Install / update the module (from PowerShell Gallery)
	Install-Module NtObjectManager -Scope CurrentUser -Force -AllowClobber
	Import-Module NtObjectManager -Force

	$dirPath = "\BaseNamedObjects\Restricted"

	Write-Host "=== Current SACL on $dirPath ===" -ForegroundColor Cyan
	$currentSD = Get-NtSecurityDescriptor -Path $dirPath -SecurityInformation Sacl
	$currentSD.Sacl \| Format-List

	# 3. SDDL for auditing: Success + Failure on DIRECTORY_CREATE_OBJECT (0x0004) by Everyone (WD)
	# This catches NtCreateSymbolicLinkObject (and other object creations) in the Restricted dir
	$auditSddl = "S:(AU;SAFA;0x0004;;;WD)"

	Write-Host "`n=== Setting audit SACL... ===" -ForegroundColor Green
	Set-NtSecurityDescriptor -Path $dirPath `
	-SecurityDescriptor $auditSddl `
	-SecurityInformation Sacl

	Write-Host "Audit rule applied successfully!" -ForegroundColor Green

	# 4. Verify
	Write-Host "`n=== New SACL on $dirPath ===" -ForegroundColor Cyan
	$newSD = Get-NtSecurityDescriptor -Path $dirPath -SecurityInformation Sacl
	$newSD.Sacl \| Format-List

	Write-Host "`n✅ Done! Now run BlueHammer (or any test that creates an OM symlink) and check the Security Event Log." -ForegroundColor Green
	Write-Host " Look for Event ID 4656 / 4663 with Object Name containing '\BaseNamedObjects\Restricted\...'" -ForegroundColor Yellow
No results found