From 63cacf5f80dcb805d623f2dcb95e8ef63f64a521 Mon Sep 17 00:00:00 2001
From: Scott Sutherland <nullbind@users.noreply.github.com>
Date: Sun, 10 Sep 2017 22:05:07 -0500
Subject: [PATCH 1/2] Update Audit Command Execution Template.sql

---
 templates/tsql/Audit Command Execution Template.sql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/templates/tsql/Audit Command Execution Template.sql b/templates/tsql/Audit Command Execution Template.sql
index 32d3582..e8af702 100644
--- a/templates/tsql/Audit Command Execution Template.sql	
+++ b/templates/tsql/Audit Command Execution Template.sql	
@@ -41,7 +41,8 @@ WITH (STATE = ON)
 use master
 CREATE DATABASE AUDIT SPECIFICATION [Audit_OSCMDEXEC]
 FOR SERVER AUDIT [DerbyconAudit]
-ADD (EXECUTE ON OBJECT::[dbo].[xp_cmdshell] BY [dbo]),					-- Audit xp_cmdshell execution
+ADD (EXECUTE ON OBJECT::[dbo].[xp_cmdshell] BY [dbo]),					-- Audit xp_cmdshell execution (os commands)
+ADD (EXECUTE ON OBJECT::[dbo].[xp_regwrite] BY [dbo]),					-- Audit xp_regwrite execution (potential registry autoruns)
 ADD (EXECUTE ON OBJECT::[dbo].[sp_addextendedproc] BY [dbo]),				-- Audit additional of custom extended stored procedures
 ADD (EXECUTE ON OBJECT::[dbo].[sp_execute_external_script] BY [dbo]), 			-- Audit execution of external scripts such as R and Python
 ADD (EXECUTE ON OBJECT::[dbo].[Sp_oacreate] BY [dbo])					-- Audit OLE Automation Procedure execution

From 237047edac8b9c6888e896d07467e17739aa1ff2 Mon Sep 17 00:00:00 2001
From: Scott Sutherland <nullbind@users.noreply.github.com>
Date: Sun, 10 Sep 2017 22:08:02 -0500
Subject: [PATCH 2/2] Update Audit Command Execution Template.sql

---
 templates/tsql/Audit Command Execution Template.sql | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/tsql/Audit Command Execution Template.sql b/templates/tsql/Audit Command Execution Template.sql
index e8af702..867e0f2 100644
--- a/templates/tsql/Audit Command Execution Template.sql	
+++ b/templates/tsql/Audit Command Execution Template.sql	
@@ -21,7 +21,7 @@ WITH (STATE = ON)
 CREATE SERVER AUDIT SPECIFICATION [Audit_Server_Configuration_Changes]
 FOR SERVER AUDIT DerbyconAudit
 ADD (AUDIT_CHANGE_GROUP), 								-- Audit Audit changes
-ADD (SERVER_OPERATION_GROUP)  								-- Audit server changes
+ADD (SERVER_OPERATION_GROUP)  								-- Audit server changes (Enabling oscmdexec options)
 WITH (STATE = ON)
 
 -- DATABASE: Audit common agent job activity
@@ -30,9 +30,9 @@ WITH (STATE = ON)
 Use msdb
 CREATE DATABASE AUDIT SPECIFICATION [Audit_Agent_Jobs]
 FOR SERVER AUDIT [DerbyconAudit]
-ADD (EXECUTE ON OBJECT::[dbo].[sp_delete_job] BY [dbo]),
-ADD (EXECUTE ON OBJECT::[dbo].[sp_add_job] BY [dbo]),
-ADD (EXECUTE ON OBJECT::[dbo].[sp_start_job] BY [dbo])
+ADD (EXECUTE ON OBJECT::[dbo].[sp_delete_job] BY [dbo]),				-- Audit agent job delete
+ADD (EXECUTE ON OBJECT::[dbo].[sp_add_job] BY [dbo]),					-- Audit agent job add * ssis, cmdexec, powershell, active scripting (jscript/vbscript)
+ADD (EXECUTE ON OBJECT::[dbo].[sp_start_job] BY [dbo])					-- Audit agent job start
 WITH (STATE = ON)
 
 -- DATABASE: Audit potentially dangerous procedures