diff --git a/README-Japanese.md b/README-Japanese.md index eac3271d..960d19e7 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -44,7 +44,9 @@ WELAはこうした課題を洗い出し、Windowsイベントログ設定改善 - [audit-settings (stdout)](#audit-settings-stdout) - [audit-settings (gui)](#audit-settings-gui) - [audit-settings (table)](#audit-settings-table) + - [audit-settings (mitre-attack-navigator)](#audit-settings-mitre-attack-navigator) - [audit-filesize](#audit-filesize) + - [configure](#configure) - [機能](#機能) - [前提要件](#前提要件) - [ダウンロード](#ダウンロード) @@ -55,6 +57,8 @@ WELAはこうした課題を洗い出し、Windowsイベントログ設定改善 - [`audit-settings` command examples](#audit-settings-command-examples) - [audit-filesize](#audit-filesize-1) - [`audit-filesize` command examples](#audit-filesize-command-examples) + - [configure](#configure) + - [`configure` command examples](#configure-command-examples) - [update-rules](#update-rules) - [`update-rules` command examples](#update-rules-command-examples) - [Windowsイベントログの監査設定に関するその他の参考資料](#windowsイベントログの監査設定に関するその他の参考資料) @@ -78,14 +82,21 @@ WELAはこうした課題を洗い出し、Windowsイベントログ設定改善 ## audit-settings (table) ![WELA Table](screenshots/table.png) +## audit-settings (mitre-attack-navigator) +![WELA Mitre Attack Navigator](screenshots/mitre.png) + ## audit-filesize ![WELA FileSize](screenshots/filesize.png) +## configure +![WELA Configure](screenshots/configure.png) + # 機能 - Windows Event Log Audit policyに対する評価 - 主要なWindowsイベントログ監査設定ガイドに基づくチェック - Windows Event Logの監査設定を、実際のSigmaルールの検知範囲に基づいて評価 - Windows Event Logのファイルサイズを監査し、推奨サイズを提案 +- 推奨されるWindowsイベントログ監査ポリシーとファイルサイズの設定 # 前提要件 * PowerShell 5.1+ @@ -103,6 +114,7 @@ WELAはこうした課題を洗い出し、Windowsイベントログ設定改善 # コマンド一覧 - `audit-settings`: Windowsイベントログ監査ポリシー設定を評価する - `audit-filesize`: Windowsイベントログファイルサイズを評価する +- `configure`: 推奨のWindowsイベントログ監査ポリシーとファイズサイズを設定する - `update-rules`: WELAのSigmaルール設定ファイルを更新する # コマンド使用例 @@ -113,7 +125,7 @@ RuleCountは、そのカテゴリ内のイベントを検出できる[Sigmaル #### `audit-settings` command examples YamatoSecurityの推奨設定でチェックし、CSV形式で保存する: ``` -./WELA.ps1 audit-settings +./WELA.ps1 audit-settings -BaseLine YamatoSecurity ``` Australian Signals Directorateの推奨設定でチェックし、CSV形式で保存する: @@ -132,12 +144,26 @@ Microsoftの推奨設定(Client)でチェックし、Table形式で表示する: ``` ## audit-filesize -`audit-filesize`コマンドは、Windowsイベントログファイルサイズを評価し、**Yamato Security**の推奨設定と比較します。 +`audit-filesize`コマンドは、Windowsイベントログファイルサイズを評価し、Yamato Securityの推奨設定と比較します。 #### `audit-filesize` command examples WindowsイベントログファイルサイズをYamatoSecurityの推奨設定でチェックし、CSV形式で保存する: ``` -./WELA.ps1 audit-filesize +./WELA.ps1 audit-filesize --BaseLine YamatoSecurity +``` + +## configure +`configure`コマンドは、推奨のWindowsイベントログ監査ポリシーとファイルサイズを設定します。 + +#### `configure` command examples +Yamato Securityの推奨設定を適用する(設定変更時に確認プロンプトを表示): +``` +./WELA.ps1 configure --BaseLine YamatoSecurity +``` + +Australian Signals Directorateの推奨設定を自動で適用する: +``` +./WELA.ps1 configure --BaseLine ASD -auto ``` ## update-rules diff --git a/README.md b/README.md index a824c813..ed4cd4a8 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,9 @@ WELA also assesses log configurations **based on real-world Sigma rule coverage* - [audit-settings (terminal output)](#audit-settings-terminal-output) - [audit-settings (GUI)](#audit-settings-gui) - [audit-settings (table)](#audit-settings-table) + - [audit-setting (mitre-attack-navigator)](#audit-settings-table) - [audit-filesize](#audit-filesize) + - [configure](#configure) - [Features](#features) - [Prerequisites](#prerequisites) - [Downloads](#downloads) @@ -55,6 +57,8 @@ WELA also assesses log configurations **based on real-world Sigma rule coverage* - [`audit-settings` command examples](#audit-settings-command-examples) - [audit-filesize](#audit-filesize-1) - [`audit-filesize` command examples](#audit-filesize-command-examples) + - [configure](#configure) + - [`configure` command examples](#configure-command-examples) - [update-rules](#update-rules) - [`update-rules` command examples](#update-rules-command-examples) - [Other Windows Event Log Audit Settings Related Resources](#other-windows-event-log-audit-settings-related-resources) @@ -78,14 +82,21 @@ WELA also assesses log configurations **based on real-world Sigma rule coverage* ## audit-settings (table) ![WELA Table](screenshots/table.png) +## audit-settings (mitre-attack-navigator) +![WELA Mitre Attack Navigator](screenshots/mitre.png) + ## audit-filesize ![WELA FileSize](screenshots/filesize.png) +## configure +![WELA Configure](screenshots/configure.png) + # Features - Auditing Windows event log audit policy settings. - Checking **based on the major Windows event log audit configuration guidelines**. - Checking Windows event log audit settings based on **real-world Sigma rule detectability**. - Auditing of Windows event log file sizes and suggestions for the recommended size. +- Setting recommended Windows event log audit policy and file sizes. # Prerequisites * Windows PowerShell 5.1 or PowerShell Core @@ -103,6 +114,7 @@ Please download the latest stable version of WELA from the [Releases](https://gi # Command List - `audit-settings`: Check Windows event log audit policy settings. - `audit-filesize`: Check Windows event log file size. +- `configure`: Configure recommended Windows event log audit policy and file size. - `update-rules`: Update WELA's Sigma rules config files. # Command Usage @@ -113,7 +125,7 @@ The `audit-settings` command checks the Windows event log audit policy settings ### `audit-settings` command examples Check with the default Yamato Security's recommended settings and save results to CSV: ``` -./WELA.ps1 audit-settings +./WELA.ps1 audit-settings -BaseLine YamatoSecurity ``` Check with the Australian Signals Directorate's recommended settings and save results to CSV: @@ -137,7 +149,21 @@ The `audit-filesize` command checks the Windows event logs' file size and compar ### `audit-filesize` command examples Check the Windows event log file size with Yamato Security's recommendations and save results to CSV: ``` -./WELA.ps1 audit-filesize +./WELA.ps1 audit-filesize -BaseLine YamatoSecurity +``` + +## configure +The `configure` command sets the recommended Windows event log audit policy and file size. + +#### `configure` command examples +Apply Yamato Security's recommended settings (with confirmation prompt before changing settings): +``` +./WELA.ps1 configure --BaseLine YamatoSecurity +``` + +Apply Australian Signals Directorate's recommended settings without confirmation prompt: +``` +./WELA.ps1 configure --BaseLine ASD -auto ``` ## update-rules diff --git a/WELA.ps1 b/WELA.ps1 index e51a66bb..f5b9985c 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5367,8 +5367,8 @@ function Export-MitreHeatmap { $heatmap = @{ "name" = "WELA detection heatmap" "versions" = @{ - "attack" = "17" - "navigator" = "5.1.0" + "attack" = "18" + "navigator" = "5.2.0" "layer" = "4.5" } "domain" = "enterprise-attack" @@ -5890,6 +5890,70 @@ function ConfigureAuditSettings { } Write-Host "" } + + # AD CS AuditFilter の設定 + Write-Host "Configuring AD CS Audit Settings..." + try { + $installed = (Get-WindowsFeature -Name AD-Certificate).InstallState -eq "Installed" + } catch { + $installed = $false + } + + if ($installed) { + try { + $csRootKey = "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\" + $caName = (Get-ItemProperty $csRootKey -ErrorAction Stop).Active + $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$caName" + $prop = Get-ItemProperty -Path $regPath -Name "AuditFilter" -ErrorAction SilentlyContinue + $currentValue = if ($null -ne $prop) { [int]$prop.AuditFilter } else { "Not Set" } + if ($currentValue -eq 127) { + Write-Host "[OK] AuditFilter is already 127" -ForegroundColor Green + } + else { + $proceed = $false + if ($Auto) { + $proceed = $true + } + else { + $response = Read-Host "Do you want to set AuditFilter to 127 and restart Certificate Services? (Y/n)" + $proceed = ($response -eq "" -or $response -match "^[Yy]$") + } + + if ($proceed) { + try { + # AuditFilter の設定 + & certutil.exe -setreg "CA\AuditFilter" 127 >$null 2>&1 + # 証明書サービスの再起動 + Restart-Service -Name "CertSvc" -Force -ErrorAction Stop + # 反映確認 + $propAfter = Get-ItemProperty -Path $regPath -Name "AuditFilter" -ErrorAction SilentlyContinue + $newValue = if ($null -ne $propAfter) { [int]$propAfter.AuditFilter } else { $null } + + if ($newValue -eq 127) { + Write-Host "[OK] AuditFilter set to 127 and CertSvc restarted" -ForegroundColor Green + } + else { + Write-Host "[ERROR] AuditFilter did not apply as expected (current: $newValue)" -ForegroundColor Red + } + } + catch { + Write-Host "[ERROR] Failed to set AuditFilter or restart CertSvc: $_" -ForegroundColor Red + } + } + else { + Write-Host "[SKIP] No changes applied to AuditFilter" + } + } + } + catch { + Write-Host "[ERROR] Failed to process AD CS audit settings: $_" -ForegroundColor Red + } + } + else { + Write-Host "[INFO] AD Certificate Services is not installed. Skipping." -ForegroundColor Yellow + } + Write-Host "" + Write-Host "Configuration completed successfully" -ForegroundColor Green } @@ -5901,7 +5965,6 @@ $logo = @" ┗┓┏┓┏┫┗━━┫┗━┛┃┏━┓┃ ┗┛┗┛┗━━━┻━━━┻┛ ┗┛ by Yamato Security - "@ $usage = @" @@ -5918,6 +5981,9 @@ Usage: [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 Write-Host $logo -ForegroundColor Green +Write-Host "" +Write-Host "WELA v2.0.0 - CODE BLUE Release" +Write-Host "" switch ($Cmd.ToLower()) { "audit-settings" { diff --git a/screenshots/configure.png b/screenshots/configure.png new file mode 100644 index 00000000..28127c64 Binary files /dev/null and b/screenshots/configure.png differ diff --git a/screenshots/mitre.png b/screenshots/mitre.png new file mode 100644 index 00000000..ecbee02d Binary files /dev/null and b/screenshots/mitre.png differ