CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2026-01-23 08:31:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #153 from Yamato-Security/141-adcs-attack-update

Browse Source 
feat: support for adcs audit
This commit is contained in:
Zach Mathis (田中ザック)
2025-11-15 14:17:14 +09:00
committed by GitHub
parent 13a601caba d5bb686439
commit 1f9c3c98e2
5 changed files with 126 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
README-Japanese.md
View File

@@ -44,7 +44,9 @@ WELAはこうした課題を洗い出し、Windowsイベントログ設定改善
- [audit-settings (stdout)](#audit-settings-stdout)
- [audit-settings (gui)](#audit-settings-gui)
- [audit-settings (table)](#audit-settings-table)
- [audit-settings (mitre-attack-navigator)](#audit-settings-mitre-attack-navigator)
- [audit-filesize](#audit-filesize)
- [configure](#configure)
- [機能](#機能)
- [前提要件](#前提要件)
- [ダウンロード](#ダウンロード)
@@ -55,6 +57,8 @@ WELAはこうした課題を洗い出し、Windowsイベントログ設定改善
- [`audit-settings` command examples](#audit-settings-command-examples)
- [audit-filesize](#audit-filesize-1)
- [`audit-filesize` command examples](#audit-filesize-command-examples)
- [configure](#configure)
- [`configure` command examples](#configure-command-examples)
- [update-rules](#update-rules)
- [`update-rules` command examples](#update-rules-command-examples)
- [Windowsイベントログの監査設定に関するその他の参考資料](#windowsイベントログの監査設定に関するその他の参考資料)
@@ -78,14 +82,21 @@ WELAはこうした課題を洗い出し、Windowsイベントログ設定改善
## audit-settings (table)
![WELA Table](screenshots/table.png)
## audit-settings (mitre-attack-navigator)
![WELA Mitre Attack Navigator](screenshots/mitre.png)
## audit-filesize
![WELA FileSize](screenshots/filesize.png)
## configure
![WELA Configure](screenshots/configure.png)
# 機能
- Windows Event Log Audit policyに対する評価
- 主要なWindowsイベントログ監査設定ガイドに基づくチェック
- Windows Event Logの監査設定を、実際のSigmaルールの検知範囲に基づいて評価
- Windows Event Logのファイルサイズを監査し、推奨サイズを提案
- 推奨されるWindowsイベントログ監査ポリシーとファイルサイズの設定
# 前提要件
* PowerShell 5.1+
@@ -103,6 +114,7 @@ WELAはこうした課題を洗い出し、Windowsイベントログ設定改善
# コマンド一覧
- `audit-settings`: Windowsイベントログ監査ポリシー設定を評価する
- `audit-filesize`: Windowsイベントログファイルサイズを評価する
- `configure`: 推奨のWindowsイベントログ監査ポリシーとファイズサイズを設定する
- `update-rules`: WELAのSigmaルール設定ファイルを更新する
# コマンド使用例
@@ -113,7 +125,7 @@ RuleCountは、そのカテゴリ内のイベントを検出できる[Sigmaル
#### `audit-settings` command examples
YamatoSecurityの推奨設定でチェックし、CSV形式で保存する:
```
./WELA.ps1 audit-settings
./WELA.ps1 audit-settings -BaseLine YamatoSecurity
```
Australian Signals Directorateの推奨設定でチェックし、CSV形式で保存する:
@@ -132,12 +144,26 @@ Microsoftの推奨設定(Client)でチェックし、Table形式で表示する:
```
## audit-filesize
`audit-filesize`コマンドは、Windowsイベントログファイルサイズを評価し、**Yamato Security**の推奨設定と比較します。
`audit-filesize`コマンドは、Windowsイベントログファイルサイズを評価し、Yamato Securityの推奨設定と比較します。
#### `audit-filesize` command examples
WindowsイベントログファイルサイズをYamatoSecurityの推奨設定でチェックし、CSV形式で保存する:
```
./WELA.ps1 audit-filesize
./WELA.ps1 audit-filesize --BaseLine YamatoSecurity
```
## configure
`configure`コマンドは、推奨のWindowsイベントログ監査ポリシーとファイルサイズを設定します。
#### `configure` command examples
Yamato Securityの推奨設定を適用する設定変更時に確認プロンプトを表示:
```
./WELA.ps1 configure --BaseLine YamatoSecurity
```
Australian Signals Directorateの推奨設定を自動で適用する:
```
./WELA.ps1 configure --BaseLine ASD -auto
```
## update-rules

30
README.md
View File

@@ -44,7 +44,9 @@ WELA also assesses log configurations **based on real-world Sigma rule coverage*
- [audit-settings (terminal output)](#audit-settings-terminal-output)
- [audit-settings (GUI)](#audit-settings-gui)
- [audit-settings (table)](#audit-settings-table)
- [audit-setting (mitre-attack-navigator)](#audit-settings-table)
- [audit-filesize](#audit-filesize)
- [configure](#configure)
- [Features](#features)
- [Prerequisites](#prerequisites)
- [Downloads](#downloads)
@@ -55,6 +57,8 @@ WELA also assesses log configurations **based on real-world Sigma rule coverage*
- [`audit-settings` command examples](#audit-settings-command-examples)
- [audit-filesize](#audit-filesize-1)
- [`audit-filesize` command examples](#audit-filesize-command-examples)
- [configure](#configure)
- [`configure` command examples](#configure-command-examples)
- [update-rules](#update-rules)
- [`update-rules` command examples](#update-rules-command-examples)
- [Other Windows Event Log Audit Settings Related Resources](#other-windows-event-log-audit-settings-related-resources)
@@ -78,14 +82,21 @@ WELA also assesses log configurations **based on real-world Sigma rule coverage*
## audit-settings (table)
![WELA Table](screenshots/table.png)
## audit-settings (mitre-attack-navigator)
![WELA Mitre Attack Navigator](screenshots/mitre.png)
## audit-filesize
![WELA FileSize](screenshots/filesize.png)
## configure
![WELA Configure](screenshots/configure.png)
# Features
- Auditing Windows event log audit policy settings.
- Checking **based on the major Windows event log audit configuration guidelines**.
- Checking Windows event log audit settings based on **real-world Sigma rule detectability**.
- Auditing of Windows event log file sizes and suggestions for the recommended size.
- Setting recommended Windows event log audit policy and file sizes.
# Prerequisites
* Windows PowerShell 5.1 or PowerShell Core
@@ -103,6 +114,7 @@ Please download the latest stable version of WELA from the [Releases](https://gi
# Command List
- `audit-settings`: Check Windows event log audit policy settings.
- `audit-filesize`: Check Windows event log file size.
- `configure`: Configure recommended Windows event log audit policy and file size.
- `update-rules`: Update WELA's Sigma rules config files.
# Command Usage
@@ -113,7 +125,7 @@ The `audit-settings` command checks the Windows event log audit policy settings
### `audit-settings` command examples
Check with the default Yamato Security's recommended settings and save results to CSV:
```
./WELA.ps1 audit-settings
./WELA.ps1 audit-settings -BaseLine YamatoSecurity
```
Check with the Australian Signals Directorate's recommended settings and save results to CSV:
@@ -137,7 +149,21 @@ The `audit-filesize` command checks the Windows event logs' file size and compar
### `audit-filesize` command examples
Check the Windows event log file size with Yamato Security's recommendations and save results to CSV:
```
./WELA.ps1 audit-filesize
./WELA.ps1 audit-filesize -BaseLine YamatoSecurity
```
## configure
The `configure` command sets the recommended Windows event log audit policy and file size.
#### `configure` command examples
Apply Yamato Security's recommended settings (with confirmation prompt before changing settings):
```
./WELA.ps1 configure --BaseLine YamatoSecurity
```
Apply Australian Signals Directorate's recommended settings without confirmation prompt:
```
./WELA.ps1 configure --BaseLine ASD -auto
```
## update-rules

72
WELA.ps1
View File

@@ -5367,8 +5367,8 @@ function Export-MitreHeatmap {
$heatmap = @{
"name" = "WELA detection heatmap"
"versions" = @{
"attack" = "17"
"navigator" = "5.1.0"
"attack" = "18"
"navigator" = "5.2.0"
"layer" = "4.5"
}
"domain" = "enterprise-attack"
@@ -5890,6 +5890,70 @@ function ConfigureAuditSettings {
}
Write-Host ""
}
# AD CS AuditFilter の設定
Write-Host "Configuring AD CS Audit Settings..."
try {
$installed = (Get-WindowsFeature -Name AD-Certificate).InstallState -eq "Installed"
} catch {
$installed = $false
}
if ($installed) {
try {
$csRootKey = "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\"
$caName = (Get-ItemProperty $csRootKey -ErrorAction Stop).Active
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$caName"
$prop = Get-ItemProperty -Path $regPath -Name "AuditFilter" -ErrorAction SilentlyContinue
$currentValue = if ($null -ne $prop) { [int]$prop.AuditFilter } else { "Not Set" }
if ($currentValue -eq 127) {
Write-Host "[OK] AuditFilter is already 127" -ForegroundColor Green
}
else {
$proceed = $false
if ($Auto) {
$proceed = $true
}
else {
$response = Read-Host "Do you want to set AuditFilter to 127 and restart Certificate Services? (Y/n)"
$proceed = ($response -eq "" -or $response -match "^[Yy]$")
}
if ($proceed) {
try {
# AuditFilter の設定
& certutil.exe -setreg "CA\AuditFilter" 127 >$null 2>&1
# 証明書サービスの再起動
Restart-Service -Name "CertSvc" -Force -ErrorAction Stop
# 反映確認
$propAfter = Get-ItemProperty -Path $regPath -Name "AuditFilter" -ErrorAction SilentlyContinue
$newValue = if ($null -ne $propAfter) { [int]$propAfter.AuditFilter } else { $null }
if ($newValue -eq 127) {
Write-Host "[OK] AuditFilter set to 127 and CertSvc restarted" -ForegroundColor Green
}
else {
Write-Host "[ERROR] AuditFilter did not apply as expected (current: $newValue)" -ForegroundColor Red
}
}
catch {
Write-Host "[ERROR] Failed to set AuditFilter or restart CertSvc: $_" -ForegroundColor Red
}
}
else {
Write-Host "[SKIP] No changes applied to AuditFilter"
}
}
}
catch {
Write-Host "[ERROR] Failed to process AD CS audit settings: $_" -ForegroundColor Red
}
}
else {
Write-Host "[INFO] AD Certificate Services is not installed. Skipping." -ForegroundColor Yellow
}
Write-Host ""
Write-Host "Configuration completed successfully" -ForegroundColor Green
}
@@ -5901,7 +5965,6 @@ $logo = @"
by Yamato Security
"@
$usage = @"
@@ -5918,6 +5981,9 @@ Usage:
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
Write-Host $logo -ForegroundColor Green
Write-Host ""
Write-Host "WELA v2.0.0 - CODE BLUE Release"
Write-Host ""
switch ($Cmd.ToLower()) {
"audit-settings" {

BIN
screenshots/configure.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 395 KiB

BIN
screenshots/mitre.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 926 KiB