SCCM: How To Effectively Audit SCCM Remote Access Registry Settings
First, let's ensure your computer is enabled to audit the registry, otherwise, this will not help you at all.
In gpedit.msc
-> Computer Configuration
-> Windows Settings
-> Security Settings
-> Advanced Audit Policy Configuration
-> System Audit Policies - Local Group Policy Object
-> Object Access
-> Audit Registry == Check Configure + both Success and Failure checkboxes
Next, we need to ensure our sensitive keys have been marked for auditing, that we told the computer, AUDIT THIS STUFF HERE.
In regedit.exe
-> Locate the Top Key you want to audit ( HKLM\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control )
-> Right click the Key, choose Permissions...
-> Click Advanced
-> Click the Auditing Tab
-> Click Add...
-> Type "Everyone" without quotes and hit ok
-> Check Full Control under both Successful and Failed to Audit all Access.
-> Verify this will apply on "This key and subkeys" then Hit Ok
-> Click OK
-> Close Permissions Window
Step 2: On your computer, navigate into your C drive and create a folder called "Registry"
Step 3: Download the files here: SCCM Registry Audit with Email Alert and unzip them and confirm you have the following files
- SCCM Registry Alert - Data Accessed.ps1
- SCCM Registry Alert - Data Accessed.xml
- SCCM Registry Alert - Value Modified.ps1
- SCCM Registry Alert - Value Modified.xml
Remember, by default scripts must be placed inside "C:\Registry" because that is where the Tasks will look for the scripts if you wanted the scripts elsewhere, you need to update the WorkingDirectory in the scheduled tasks xml to point to it accordingly.
Step 4: Import "SCCM Registry Alert - Value Modified.xml" and "SCCM Registry Alert - Data Accessed.xml" into Task Scheduler (taskschd.msc).
Go through them and ensure they meet your requirements. Then enable them.
Step 5: Edit the "Registry Alert - Data Accessed.ps1" and "Registry Alert - Value Modified.ps1" scripts to send to the correct email(s)
Also, ensure you are targeting a valid SMTP Address, this is usually SMTP.{yourdomain} ... ex. smtp.contoso.com
Developers Note:
By no means is this a foolproof method, those intimately familiar with how to bypass existing auditing or disable the auditing portions of Security are to be considered an advanced attacker. Sadly if you are dealing with an advanced attacker who is aware of these methods you may not receive an email when they decide to intrude upon you, but if you believe someone may be doing something to you, you can double check the Event Logs, specifically the Event Viewer -> Windows Logs -> Security ... and see what other accounts are logging in or accessing registry keys. You may also think of changing up script names, location, and where the scheduled tasks are stored to make it harder for an attacker to locate and compromise your audit alerts.