`dissect.target.plugins.os.windows.regf.auditpol`¶

Module Contents¶

Classes¶

AuditpolPlugin

Plugin that parses audit policy settings from the registry.

Attributes¶

`c_adtev`
`POLICY_CATEGORIES`
`POLICY_MAP`
`POLICY_VALUES`
`AuditPolicyRecord`

dissect.target.plugins.os.windows.regf.auditpol.c_adtev¶

dissect.target.plugins.os.windows.regf.auditpol.POLICY_CATEGORIES = ['System', 'Logon/Logoff', 'Object Access', 'Privilege Use', 'Detailed Tracking', 'Policy...¶

dissect.target.plugins.os.windows.regf.auditpol.POLICY_MAP¶

dissect.target.plugins.os.windows.regf.auditpol.POLICY_VALUES¶

dissect.target.plugins.os.windows.regf.auditpol.AuditPolicyRecord¶

class dissect.target.plugins.os.windows.regf.auditpol.AuditpolPlugin(target: dissect.target.Target)¶

Bases: dissect.target.plugin.Plugin

Plugin that parses audit policy settings from the registry.

KEY = 'HKLM\\SECURITY\\Policy\\PolAdtEv'¶

check_compatible() → None¶

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

auditpol()¶

Return audit policy settings from the registry.

For Windows, the audit policy settings are stored in the HKEY_LOCAL_MACHINESecurityPolicyPolAdtEv registry key. It shows for each possible audit event if it is logged.

References

https://countuponsecurity.com/tag/poladtev/

dissect.target.plugins.os.windows.regf.auditpol¶

Module Contents¶

Classes¶

Attributes¶

`dissect.target.plugins.os.windows.regf.auditpol`¶