feat: verbose security

2025-12-08 02:02:56 +01:00 · 2025-04-04 08:09:03 +09:00
parent 750eeb4d45
commit 243f8fdd0a
1 changed files with 44 additions and 44 deletions
--- a/WELAVerboseSecAudit.psm1
+++ b/WELAVerboseSecAudit.psm1
@@ -21,7 +21,7 @@ function CountRules {
            $counts[$rule.level]++
        }
    }
-    $status = if ($filterd_rules[0].applicable) { ": enabled" } else { ": disabled" }
+    $status = if ($filterd_rules[0].applicable) { " enabled" } else { " disabled" }
    $result = "$status (critical: $($counts['critical']) | high: $($counts['high']) | medium: $($counts['medium']) | low: $($counts['low']), info: $($counts['informational']))"
    return $result
 }
@@ -109,11 +109,11 @@ function ShowVerboseSecurity {
    $msg  = @"
 Detailed Security category settings:
 Account Logon
-  - Credential Validation $m_credential_validation
+  - Credential Validation: $m_credential_validation
    - Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers.
    - Default settings: Client OS: No Auditing | Server OS: Success
    - Recommended settings: Client and Server OSes: Success and Failure
-  - Kerberos Authentication Service $m_kerberos_authentication_service
+  - Kerberos Authentication Service: $m_kerberos_authentication_service
    - Volume: High
    - Default settings: Client OS: No Auditing | Server OS: Success
    - Recommended settings: Client OS: No Auditing | Server OS: Success and Failure
@@ -122,174 +122,174 @@ Account Logon
    - Default settings: Client OS: No Auditing | Server OS: Success
    - Recommended settings: Domain Controllers: Success and Failure
 Account Management
-  - Computer Account Management $m_computer_account_management
+  - Computer Account Management: $m_computer_account_management
    - Volume: Low
    - Default settings: Client OS: No Auditing | Server OS: Success Only
    - Recommended settings: Domain Controllers: Success and Failure
-  - Other Account Management Events $m_other_account_management
+  - Other Account Management Events: $m_other_account_management
    - Volume: Low
    - Default settings: No Auditing
    - Recommended settings: Success and Failure
-  - Security Group Management $m_security_group_management
+  - Security Group Management: $m_security_group_management
    - Volume: Low
    - Default settings: Success
    - Recommended settings: Success and Failure
-  - User Account Management $m_user_account_management
+  - User Account Management: $m_user_account_management
    - Volume: Low
    - Default settings: Success
    - Recommended settings: Success and Failure
 Detailed Tracking
-  - Plug and Play Events $m_plug_and_play_events
+  - Plug and Play Events: $m_plug_and_play_events
    - Volume: Typcially low
    - Default settings: No Auditing
    - Recommended settings: Success and Failure
-  - Process Creation $m_process_creation
+  - Process Creation: $m_process_creation
    - Volume: High
    - Default settings: No Auditing
    - Recommended settings: Success and Failure if sysmon is not configured.
-  - Process Termination $m_process_termination
+  - Process Termination: $m_process_termination
    - Volume: High
    - Default settings: No Auditing
    - Recommended settings: No Auditing unless you want to track the lifespan of processes.
-  - RPC (Remote Procedure Call) Events $m_rpc_events
+  - RPC (Remote Procedure Call) Events: $m_rpc_events
    - Volume: High on RPC servers (According to Microsoft)
    - Default settings: No Auditing
    - Recommended settings: Unknown. Needs testing.
-  - Token Right Adjusted Events $m_token_right_adjusted_events
+  - Token Right Adjusted Events: $m_token_right_adjusted_events
    - Volume: Unknown
    - Default settings: No Auditing
    - Recommended settings: Unknown. Needs testing.
 DS (Directory Service) Access
-  - Directory Service Access $m_directory_service_access
+  - Directory Service Access: $m_directory_service_access
    - Volume: High
    - Default settings: Client OS: No Auditing | Server OS: Success
    - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure
-  - Directory Service Changes $m_directory_service_changes
+  - Directory Service Changes: $m_directory_service_changes
    - Volume: High
    - Default settings: No Auditing
    - Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure
 Logon/Logoff
-  - Account Lockout $m_account_lockout
+  - Account Lockout: $m_account_lockout
    - Volume: Low
    - Default settings: Success
    - Recommended settings: Success and Failure
-  - Group Membership $m_group_membership
+  - Group Membership: $m_group_membership
    - Volume: Adds an extra 4627 event to every logon.
    - Default settings: No Auditing
    - Recommended settings: No Auditing
-  - Logoff $m_logoff
+  - Logoff: $m_logoff
    - Volume: High
    - Default settings: Success
    - Recommended settings: Success
-  - Logon $m_logon
+  - Logon: $m_logon
    - Volume: Low on clients, medium on DCs or network servers
    - Default settings: Client OS: Success | Server OS: Success and Failure
    - Recommended settings: Success and Failure
-  - Other Logon/Logoff Events $m_other_logon_logoff_events
+  - Other Logon/Logoff Events: $m_other_logon_logoff_events
    - Volume: Low
    - Default settings: No Auditing
    - Recommended settings: Success and Failure
-  - Special Logon $m_special_logon
+  - Special Logon: $m_special_logon
    - Volume: Low on clients. Medium on DC or network servers.
    - Default settings: Success
    - Recommended settings: Success and Failure
 Object Access
-  - Certification Services $m_certification_services
+  - Certification Services: $m_certification_services
    - Volume: Low to medium
    - Default settings: No Auditing
    - Recommended settings: Success and Failure for AD CS role servers.
-  - Detailed File Share $m_detailed_file_share
+  - Detailed File Share: $m_detailed_file_share
    - Volume: Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement.
    - Default settings: No Auditing
    - Recommended settings: No Auditing due to the high noise level. Enable if you can though.
-  - File Share $m_file_share
+  - File Share: $m_file_share
    - Volume: High for file servers and DCs.
    - Default settings: No Auditing
    - Recommended settings: Success and Failure
-  - File System $m_file_system
+  - File System: $m_file_system
    - Volume: Depends on SACL rules
    - Default settings: No Auditing
    - Recommended settings: Enable SACLs just for sensitive files
-  - Filtering Platform Connection $m_filtering_platform_connection
+  - Filtering Platform Connection: $m_filtering_platform_connection
    - Volume: High
    - Default settings: No Auditing
    - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
-  - Filtering Platform Packet Drop $m_filtering_platform_packet_drop
+  - Filtering Platform Packet Drop: $m_filtering_platform_packet_drop
    - Volume: High
    - Default settings: No Auditing
    - Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.
-  - Kernel Object $m_kernel_object
+  - Kernel Object: $m_kernel_object
    - Volume: High if auditing access of global object access is enabled
    - Default settings: No Auditing
    - Recommended settings: Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events.
-  - Handle Manipulation $m_handle_manipulation
+  - Handle Manipulation: $m_handle_manipulation
    - Volume: High
    - Default settings: No Auditing
    - Recommended settings: Success and Failure
-  - Other Object Access Events $m_other_object_access_events
+  - Other Object Access Events: $m_other_object_access_events
    - Volume: Low
    - Default settings: No Auditing
    - Recommended settings: Success and Failure
-  - Registry $m_registry
+  - Registry: $m_registry
    - Volume: Depends on SACLs
    - Default settings: No Auditing
    - Recommended settings: Set SACLs for only the registry keys that you want to monitor
-  - Removable Storage $m_removable_storage
+  - Removable Storage: $m_removable_storage
    - Volume: Depends on how much removable storage is used
    - Default settings: No Auditing
    - Recommended settings: Success and Failure if you want to monitor external device usage.
-  - SAM $m_sam
+  - SAM: $m_sam
    - Volume: High volume of events on Domain Controllers
    - Default settings: No Auditing
    - Recommended settings: Success and Failure if you can but may cause too high volume of noise so should be tested beforehand.
 Policy Change
-  - Audit Policy Change $m_audit_policy_change
+  - Audit Policy Change: $m_audit_policy_change
    - Volume: Low
    - Default settings: Success
    - Recommended settings: Success and Failure
-  - Authentication Policy Change $m_authentication_policy_change
+  - Authentication Policy Change: $m_authentication_policy_change
    - Volume: Low
    - Default settings: Success
    - Recommended settings: Success and Failure
-  - Authorization Policy Change $m_authorization_policy_change
+  - Authorization Policy Change: $m_authorization_policy_change
    - Volume: Medium to High
    - Default settings: No Auditing
    - Recommended settings: Unknown. Needs testing.
-  - Filtering Platform Policy Change $m_filtering_platform_policy_change
+  - Filtering Platform Policy Change: $m_filtering_platform_policy_change
    - Volume: Low
    - Default settings: No Auditing
    - Recommended settings: Unknown, Needs testing.
-  - MPSSVC Rule-Level Policy Change $m_mpssvc_rule_level_policy_change
+  - MPSSVC Rule-Level Policy Change: $m_mpssvc_rule_level_policy_change
    - Volume: Low
    - Default settings: No Auditing
    - Recommended settings: Unknown. Needs testing.
-  - Other Policy Change Events $m_other_policy_change_events
+  - Other Policy Change Events: $m_other_policy_change_events
    - Volume: Low
    - Default settings: No Auditing
    - Recommended settings: No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.)
 Privilege Use
-  - Non Sensitive Use Events $m_non_sensitive_use_events
+  - Non Sensitive Use Events: $m_non_sensitive_use_events
    - Volume: Very high
    - Default settings: No Auditing
    - Recommended settings: No Auditing
-  - Sensitive Privilege Use $m_sensitive_privilege_use
+  - Sensitive Privilege Use: $m_sensitive_privilege_use
    - Volume: High
    - Default settings: No Auditing
    - Recommended settings: Success and Failure However, this may be too noisy.
 System
-  - Other System Events $m_other_system_events
+  - Other System Events: $m_other_system_events
    - Volume: Low
    - Default settings: Success and Failure
    - Recommended settings: Unknown. Needs testing.
-  - Security State Change $m_security_state_change
+  - Security State Change: $m_security_state_change
    - Volume: Low
    - Default settings: Success
    - Recommended settings: Success and Failure
-  - Security System Extension $m_security_system_extension
+  - Security System Extension: $m_security_system_extension
    - Volume: Low, but more on DCs
    - Default settings: No Auditing
    - Recommended settings: Success and Failure
-  - System Integrity $m_system_integrity
+  - System Integrity: $m_system_integrity
    - Volume: Low
    - Default settings: Sucess, Failure
    - Recommended settings: Success and Failure